Hi All,
I am Maloy Roy Orko
Recently in one of my pentest research, I found a Real-Estate-Management-System application By Script and Tools which is an open source Real Estate Management System in PHP
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that the userdelete.php file is vulnerable to IDOR !
It can lead into:
- - Unauthorized Data Access
- - Data Manipulation
- - Account Takeover
- - Privilege Escalation
- - Denial of Service (DoS)
- - Reputation Damage
- - Regulatory Consequences
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.
Title of the Vulnerability:
Script and Tools | Real Estate Management System V 1.0 | userdelete.php | IDOR
CWE: 639
Vulnerability Class: Insecure Direct Object Reference (IDOR)
Product Name: Real Estate Management System
Version: 1.0
Vendor: https://github.com/scriptandtools/
Vulnerable Product Link: https://github.com/scriptandtools/Real-Estate-website-in-PHP
Technical Details & Description: The application source code is coded in a way which allows : Insecure Direct Object Reference.
It can lead into:
- - Unauthorized Data Access
- - Data Manipulation
- - Account Takeover
- - Privilege Escalation
- - Denial of Service (DoS)
- - Reputation Damage
- - Regulatory Consequences
Product & Service Introduction:
Real Estate Management System (Version-1.0)
Observation & Exploitation:
Here,The Vulnerable File Is:
userdelete.php
Who will be affected of this IDOR attack?
->The Administrator and Other Users!
Reproduction:
(1) First,Go To userdelete.php/
You will see that no administrator access is needed no delete any user through this endpoint! We will need the parameter value only!
Example:
http://192.168.0.100:8080/reali/admin/userdelete.php?id=28
Now,Input any user account parameter ID to delete his company account!
Here,I will delete the Company Account of Noah!
ID of Noah is 28!
So,The Payload Will be Like This:
http://192.168.0.100:8080/reali/admin/userdelete.php?id=28
Consequences & Impact:
Just hit this url in the browser and the account of Noah will be deleted and thus you can delete even the Admins and they will lost access of the company system!
See The Image: Account Of Mukesh Has Been Deleted !
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.