Threat: sensitive data disclosure Risk level: HIGH Complexity: medium Vulnerable functions: Bagisto front end
The list of functionality mentioned below are designed for customers to change their own values such as address, review etc can also be manipulated by other customers. 1) Address field: /bagisto-103-206-131-18/customer/account/addresses/edit/[ item_value ] 2) Review: /bagisto-common/customer/account/reviews/delete/[ item_value ] 3) Orders: /bagisto-common/customer/account/orders/view/[ item_value ]
Tool Used: Burp proxy (to manipulate requests) Steps to reproduce the attack: 1.1) Address field:
step:1 create two users
user 1 : firstname.lastname@example.org
user 2 : email@example.com (default user on demo)
step:2 Add multiple address to both the users and check their id.
step:3 Edit the address using another users address id which will show you the address of that user.
User1 can modify/view/delete address of User2 and vice versa.
Similarly, same technique can be used to exploit other functions.
1.2) Product review:
Review id can be changed to another user's review id to delete review made by another user. 1.3) Orders :
Order id can be changed to view orders made by another user.