Account Takeover in neorazorx/facturascripts

Valid

Reported on

May 9th 2022

Description

Hi there i found that forget password functionality can be manipulated and this lead to account takeover. So even if an attacker can takeover low access user to admin accounts. In this bug server is vulnerable to php type juggling attack

Proof of Concept

  1. While registering app for first use set DB password starting with "0e" and then random characters in it. so You can add any password starting with 0e
  2. Goto forget password section and add username as admin and new password as "newpass"
  3. Add 0 in database password
  4. Send request and login with new password
  5. Successfully changed password

Reference :-https://medium.com/swlh/php-type-juggling-vulnerabilities-3e28c4ed5c09

Impact

Account takeover

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago
Distorted_Hacker modified the report
a year ago
Distorted_Hacker modified the report
a year ago
Distorted_Hacker modified the report
a year ago
Distorted_Hacker submitted a
patch
a year ago
Distorted_Hacker modified the report
a year ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago
Distorted_Hacker submitted a
patch
a year ago
Carlos Garcia validated this vulnerability a year ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia marked this as fixed in 2022.07 with commit 714beb a year ago
Distorted_Hacker has been awarded the fix bounty
This vulnerability will not receive a CVE
Distorted_Hacker
a year ago

Researcher

@admin can you please assign a CVE

Jamie Slome
a year ago

Admin

Sorted 👍

to join this conversation