Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22409
HistorySep 04, 2009 - 12:00 a.m.

New Bug Found By Ostoure Sazan Sharif

2009-09-0400:00:00
vulners.com
22
JSON

www.Ostoure.com_____

|
| Ostoure Security Research Team
|
| Title: Accounting Portal authentication Bypass
| Vendor: Parsonline - Parsway ISP
| Exploitation: Remote with browser

====================

  • Description:
    ====================

The data in the admin folder "DesktopModules" can be accessed via a normal session without
authentication, someone can do this to view other people's usernames and passwords

You can access other people's account information, by entering the URL of your own account
information, and changing the account number in the URL to another person's number.

====================

  • exploit:
    ====================

First u must loggin with your user & password

http://victim.com or victime
ip/PolPortal/DesktopModules/shoppingcart_Factor.aspx?customerid=[number]

you must enter other user in number part

                          *

Found By Ostoure sazan sharif *
*

JSON