Account Takeover in neorazorx/facturascripts

Valid

Reported on

May 9th 2022


Description

Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack

Proof of Concept

  1. While registering app for first use set DB password starting with "0e" and then random characters in it. so You can add any password starting with 0e
  2. Goto forget password section and add username as admin and new password as "newpass"
  3. Add 0 in database password
  4. Send request and login with new password
  5. Successfully changed password

Reference :-https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

Impact

Account takeover

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 15 days ago
Distorted_Hacker modified the report
15 days ago
Distorted_Hacker modified the report
15 days ago
Distorted_Hacker modified the report
14 days ago
14 days ago
Distorted_Hacker modified the report
14 days ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 14 days ago
13 days ago
Carlos Garcia validated this vulnerability 12 days ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on 714beb 12 days ago
Distorted_Hacker has been awarded the fix bounty
Distorted_Hacker
12 days ago

Researcher


@admin can you please assign a CVE

Jamie Slome
11 days ago

Admin


Sorted 👍

to join this conversation