Improper Access Control (IDOR) in neorazorx/facturascripts
Apr 28th 2022
Improper Access Control (IDOR) could leak admin information.
Proof of Concept
1.Login as admin, edit a role to give permission show a user information -> save
2.Login as an user with that role -> go to url
http://my.facturascripts.site/EditUser?code=admin&action=export&option=PDF -> Can see all the information of admin (and other users) included email and IP address
-First, Admin's information can not be seen by any other user, it can lead to dangerous action by attackers.
-Second, impact of the leak of IP addresses (of admin or any other user) is very serious, attackers can use it to seize very valuable information, including your location and online identity. Using this information as a starting point, they could potentially hack your device, steal your identity, and more