ProConf 6.0 存在不安全直接对象引用(IDOR)漏洞,允许作者通过修改Paper ID查看并获取其他用户提交的论文及个人信息(姓名、邮箱等),影响隐私安全。该漏洞已修复于6.1版本。 2025-4-24 16:56:32 Author: cxsecurity.com(查看原文) 阅读量:5 收藏
ProConf 6.0 Insecure Direct Object Reference
CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None
# Exploit Title: ProConf 6.0 - Insecure Direct Object Reference (IDOR) # Date: 19/07/2018 # Exploit Author: S. M. Zia Ur Rashid, SC # Author Contact: https://www.linkedin.com/in/ziaurrashid/ # Vendor Homepage: http://proconf.org & http://myproconf.org # Version: <= 6.0 # Tested on: Windows # CVE : CVE-2018-16606 # Patched Version: 6.1 # Description: In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows any author to view and grab all submitted papers (Title and Abstract) and their authors' personal information (Name, Email, Organization, and Position) by changing the value of Paper ID (the pid parameter). # PROOF-OF-CONCEPT Step 1: Sign In as an author for a conference & submit a paper. Youall get a paper ID. Step 2: Now go to paper details and change the value of Paper ID (param pid=xxxx) to nearest previous value to view others submitted paper & authors information. http:// <http:> [host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
Thanks for you comment!
Your message is in quarantine 48 hours.
{{ x.nick }}
{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1 {{ x.comment }} |
如有侵权请联系:admin#unsafe.sh