Webcollab 3.4.6 | IDOR vulnerability

2019.02.14

Expert (AZ)

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2019-8332

CWE: N/A

####################################################################
# Exploit Title: Webcollab 3.4.6 - IDOR (Insecure Direct Object References)
# Dork: N/A
# Date: 27-01-2019
# Exploit Author: Expert
# Vendor Homepage: https://webcollab.sourceforge.io/
# Software Link: https://sourceforge.net/projects/webcollab/
# Version: 3.4.6
# Category: Webapps
# Tested on: Xampp, @Win
# CVE: N/A
# Software Link : A web-based project management tool for workgroups.
Encourage groups and individuals to work collaboratively.
This tool aims to be functional and elegant without being complicated or graphically intensive.
####################################################################
# Vulnerabilities - POC
# In order to use the weakness, we create a user and log into the application with this user.
# When we change the id = value in the url section, we see that the user information has changed.
# The proof of the deficit is in the link below.
# https://i.hizliresim.com/V93k7B.jpg lt;== userid=4 normal user
# https://i.hizliresim.com/QLp6nj.jpg lt;== userid=1 admin user
####################################################################

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Webcollab 3.4.6 | IDOR vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.