image dsbw
Request Assessment

Broken Access Control lead to Full access to all Company Customers,users,infrastructure,employees ...



Published il y a 2 semaines

image de Broken Access Control lead to Full access to all Company Customers,users,infrastructure,employees ...

Hi, This is DevSecure Team ,we specialize in uncovering hidden vulnerabilities that pose real-world risks to modern web applications.
All vulnerabilities shared in these write-ups are fully redacted — any company names, domains, or sensitive details are replaced with placeholders such as company.com. Each finding was responsibly disclosed through the Intigriti platform and has been verified and resolved by the affected vendor.

Every post represents our commitment to ethical hacking, responsible disclosure, and continuous learning, helping organizations strengthen their defenses while contributing to a safer global cybersecurity ecosystem.

Description:

Broken Access Control lead to Full access to all Company Customers,users ,infrastructure ,contacts,employees sensitive information names emails phones even password in some cases for admins and servers and QueryBuilder wich can used to export sensitive data all thats started whene i was doing recon for *.company.eu, and i got a file in a documentation file refer to sharepoint host thats for Company storage, i try to access it with my credentiels than it access companycloud.sharepoint.com than i start searching for any information i could use it for get access to other services than i find all this resources thats its all sensitive informations

Affected Parameter / Endpoint: https://companycloud.sharepoint.com/sites/*******/items?$select=Name%2CEMail%2CUserName%2CWorkPhone&$top=10000

Proof of Concept:

Step-by-step to reproduce:
1/ the companycloud.sharepoint.com has a lotsof important and sensitive sites inside it AdminFiles PrivateFiles

lets start with the query builder you could search for query builder and click on it and you will have access to the form interface thats you could build a query chose a list (in this case we have more than 20 list) i chosed the (User Information List) and add coulmn you want to see i chosed just for POC Name Email UserName WorkPhone and i get all users in the database (More than 7000 user) you can access to the XML result from here https://companycloud.sharepoint.com/sites/*******/items?$select=Name%2CEMail%2CUserName%2CWorkPhone&$top=10000 thats hust POC you can use any of the other 20 list other than (User Information List) and any of the columns the sharepoint has a lot of sensitive information about internal employees and infrastructure and backups and customers and users in this repport i give you just a POC of how sensitive is thats, but if a hacker have access to this sort of information be sure thats will retuen in a catastrophic impact on all the company.

Impact:

Access to all Company Customers,users,infrastructure ...

Severity:

Critical

  • Timeline :
  • Platform : Intigriti
  • Reported: 07/11/2023
  • Triaged: 07/11/2023
  • Accepted & paid: 15/11/2023
  • Bounty: €500

https://app.intigriti.com/profile/merroun

More Articles You May Like

Blog Image
SQL INJECTION, leaking of personal data + server misconfiguration lead to unauthorized access

Description: in one of the earlier target that i hunted in before, after the recon step, i found an interesting service...

Read More →
Blog Image
BROKEN ACCESS CONTROL lead to leak all users sensitive data in Company database, including emails

Description: BROKEN ACCESS CONTROL lead to leak all users sensitive data in company database, including emails in compa...

Read More →
Blog Image
IDOR Get any Customer all invoices

Description: Broken access control IDOR lead to get all invoices for any customer Affected Parameter / Endpoint: https...

Read More →