| 标题 | BichitroGan ISP Billing Software 2025.3.20 Insecure Direct Object Reference (IDOR) / Broken Access Control |
|---|
| 描述 | An Insecure Direct Object Reference (IDOR) vulnerability exists in the BichitroGan ISP Billing Software version 2025.3.20.
The endpoint:
?_route=settings/users-view/{id}
does not properly validate user authorization. A low-privileged authenticated user (such as a Sales role) can manipulate the user ID parameter to access other users' account information, including administrative accounts.
By changing the numeric ID in the URL, attackers can enumerate users and retrieve sensitive account information without proper authorization checks.
Example:
https://demo.bichitrogan.com/?_route=settings/users-view/4
Impact:
• Unauthorized access to user information
• Exposure of administrator account details
• User enumeration
• Potential reconnaissance for privilege escalation
The vulnerability occurs due to missing server-side access control validation on the user profile endpoint. |
|---|
| 来源 | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/15 |
|---|
| 用户 | 4m3rr0r (UID 85795) |
|---|
| 提交 | 2026-03-12 10時15分 (17 日前) |
|---|
| 管理 | 2026-03-27 17時06分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 353953 [BichitroGan ISP Billing Software 2025.3.20 Endpoint users-view 标识符 权限提升] |
|---|
| 积分 | 20 |
|---|