Bug FixedWhen bug issue is fixed.CriticalSomething critical. Need immediate access.CustomerCustomer package related issue.ShopShop package related issues.
Threat: sensitive data disclosure Risk level: HIGH Complexity: medium Vulnerable functions: Bagisto front end
The list of functionality mentioned below are designed for customers to change their own values such as address, review etc can also be manipulated by other customers. 1) Address field: /bagisto-103-206-131-18/customer/account/addresses/edit/[ item_value ] 2) Review: /bagisto-common/customer/account/reviews/delete/[ item_value ] 3) Orders: /bagisto-common/customer/account/orders/view/[ item_value ]
Tool Used: Burp proxy (to manipulate requests) Steps to reproduce the attack: 1.1) Address field:
step:1 create two users
user 1 : demo01@webkul.com
user 2 : demo@example.com (default user on demo)
step:2 Add multiple address to both the users and check their id.
step:3 Edit the address using another users address id which will show you the address of that user.
User1 can modify/view/delete address of User2 and vice versa.
Similarly, same technique can be used to exploit other functions.
1.2) Product review:
Review id can be changed to another user's review id to delete review made by another user. 1.3) Orders :
Order id can be changed to view orders made by another user.
Bug FixedWhen bug issue is fixed.CriticalSomething critical. Need immediate access.CustomerCustomer package related issue.ShopShop package related issues.
4 participants
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.
Threat: sensitive data disclosure
Risk level: HIGH
Complexity: medium
Vulnerable functions: Bagisto front end
The list of functionality mentioned below are designed for customers to change their own values such as address, review etc can also be manipulated by other customers.
1) Address field: /bagisto-103-206-131-18/customer/account/addresses/edit/[ item_value ]
2) Review: /bagisto-common/customer/account/reviews/delete/[ item_value ]
3) Orders: /bagisto-common/customer/account/orders/view/[ item_value ]
Tool Used: Burp proxy (to manipulate requests)
Steps to reproduce the attack:
1.1) Address field:
step:1 create two users
user 1 : demo01@webkul.com
user 2 : demo@example.com (default user on demo)
step:2 Add multiple address to both the users and check their id.
step:3 Edit the address using another users address id which will show you the address of that user.
User1 can modify/view/delete address of User2 and vice versa.
Similarly, same technique can be used to exploit other functions.
1.2) Product review:
Review id can be changed to another user's review id to delete review made by another user.
1.3) Orders :
Order id can be changed to view orders made by another user.
Impacts of vulnerability:
Sensitive data disclosure where an user can easily view another user's data.
Reference:
https://www.owasp.org/index.php/Broken_Access_Control
https://www.htbridge.com/blog/OWASP-broken-access-control.html
The text was updated successfully, but these errors were encountered: