An IDOR lead to viewing other user’s files CVE-2023–42334.
Good day everyone! I hope all of you are doing well.
During one of the penetration testing assessments, we encountered an iOS app that included both fl3xx Crew and fl3xx Dispatch. We identified a parameter that could potentially allow users to view files that they don’t have authorized on them. The following steps will demonstrate how an authenticated user can discover Insecure direct object reference vulnerabilities IDOR, which can lead to additional security risks. For your reference the links for the other CVEs blogs:
· Unrestricted file upload CVE-2023–42335
Today I will be demonstrating CVE-2023–42334.
Vulnerability Details
Vulnerable Software: Fl3xx Dispatch & Fl3xx Crew
Vulnerability: Inscure direct object reference.
Affected Version: 2.10.37
Vendor Homepage: https://www.fl3xx.com/product/fl3xx
CVE: CVE-2023–42334
What is IDOR?
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks.
How can I prevent IDOR vulnerabilities?
There are several steps that can be taken to prevent insecure direct object reference vulnerabilities:
· Use per-user or session indirect object references. This prevents attackers from directly targeting unauthorized resources.
· Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
· Fl3xx Crew system:
· Crew system, crew assignment, qualifications, and much more, all synced with your calendars via the web or crew app.
· Fl3xx dispatch system:
· Manage your airport slots, assigned crew, passenger preferences, and much more in a single instant.
· Required Components:
· Burp Suite: HTTP proxy tool for intercepting requests.
· Steps to executions:
1-Send a request of a file on the system to burp them and send it to an intruder to see if we are able to change the parameter and access and view other files.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42334
· Acknowledgment:
Thanks to: Yara Alhumaidan and May al-muraished for their support. Also, many thanks to the Saudi information and technology company — SITE for their continuous support.