logo
DATABASE RESOURCES PRICING ABOUT US

pcs.ne.jp Improper Access Control vulnerability

Description

Open Bug Bounty ID: OBB-1156556 Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[pcs.ne.jp](<http://www.pcs.ne.jp>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Gh05tPT ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAKMElEQVR4nO2dbUhTbRjHl01deqaOdL4001mNkDKJMSyMRMLEZ4xJ+sUsjUQlRERSzA+2DFQ0ezEQPxRYX/omMiJERsSQEWo2bdgaIvMwp4j51jJbc+f5cOBwOm87z3JOe67fp91v//u6//dh13Y58ACGYQIAAAAACAAhwQ4AAAAA+GuBHAMAAAAECsgxAAAAQKCAHAMAAAAECsgxAAAAQKCAHAMAAAAEij2RY+Ry+eTkJFsTYCTQLu24/m5eKzxCALBHCH6O+fTpk9frPXPmDGMTYCTQLu24/m5eKzxCALB38JFj5ubmxGIx49D6+np7eztbkz96vV6j0bA1/29wGE7GP5d4ivut71OQfwA8YRT0L3g+D/COx8+HoGwKADuF/99j1tbW2tra2Jr8gRxDJiUlZXl52ec0/1ziKe63/m4K7vhefj/AAABwEORa2cLCgs1my8nJYWz+PwkPD+ee8Ccu+RT/Q/3dEdwjewEA4BNeOebJkydyufzw4cPXrl1bX18XCATr6+upqakul+vAgQMvXrwgNx8+fCgWi7u6uuLj4yUSSVlZ2Y8fP9iU9Xp9Xl5eaGgopVlYWNjV1YV3Tk5OhoeH4/sKBIKqqqoTJ05wjDY0NHAvb2hoIALACxGM0W5vb9+5cyc+Pj4yMrK4uPjr1694/9jY2IULF8Ri8ZEjR65cufL582fyiXDB7u5uuVwukUiuXr1KbP3z58+bN2+KxeKUlJS7d+9ub2/TDcGXc0RFN42RsbGxc+fOHTp0KC4urri4eH5+XkCrurAdhNCnzJ+bm5NIJBxr8fnt7e1xcXGJiYnPnz/nDvj79+9VVVVxcXHJycn37t0jDGF0nvFEdMh78dehPM88t2OMf2Fh4Z9//hGLxXK5vLu7m3CMcjuMzs/Pz1++fDkyMvLYsWOPHj1iXAsA+wvfOcblcpnNZpPJNDo66nQ6m5qaBAJBdHS01WpFEGRra6u0tJTcLCwsdLlco6Oj4+Pj4+PjExMTnZ2dbOJshTK1Wm0wGPDO169fe73eoaEhvGkwGLRaLcdoQUEB9/KCggLKARmj7ezsNBgMBoPBZrMlJSVNT0/j/Wq1ury8HEXRkZGR7OxskUhEd2xqagp3DEXR5uZmvL+1tXVzc3NqampoaMhoNPb19XHbzuYhn1rQxMREZWXl4uKixWKRyWQ1NTX0OWwH4aPPttblclmtVovF0t/fn52dzS1YW1vrdDonJiaGhob0en1vby/ez+g8nxNR9uKvQ3meeW7HGH9NTU1YWNjMzIzBYHj58uV/cq+mpiYqKspqtQ4PD/f393NfAQDsDzBO7Ha7QCDY2NjAmyaTKS0tjRhCEIQ8E2/iS1AUxfsHBgaUSiX+GkXR1NRUYonL5UIQZGVlhd50Op0RERFbW1sYhqlUqvr6+pKSElw8KioKRVGOUbfbzb3c7XZTDsgYrVQqnZiYoBiysrIiFApxZT6OjYyMEI7Fxsa6XC78tdlsVqlUjMsRBOGIimJaU1PT8ePHNRrNu3fvMAx7/Pjx2toaRXNmZiYhIQH7/crYDkLWp19xTEwMx1o8bCI2bkGPx4MgyOzsLN7U6/VZWVn4a0bnfZ6Ibg5/HbqUz+0Y4/d4PCKRiOgcGBjAHSPD5h6+lnzp+FqOwABg7yP0mYQQBCEKJklJSSsrKz6XiESi5ORk/PXJkydRFCWWm0wmYtrw8LBKpSIKAuRmYmKiQqEwmUzp6elOp7OlpUWhUGxvbxsMhkuXLiUnJ3OMhoaGci+nFG0Yo11fX19ZWcnIyKAcTSKRFBUVZWVl5ebmJiUlKZXKixcvcjgmk8lwx1ZXV5eXl1NTU/F+r9crFHKZz+Yh2aXV1VWn0zkwMDA+Pl5dXW2327Ozs8vLywUCwcePHxsbG6enp91ut9fr9Xq9PA9CuRRGOExAEISylk1waWnJ7XbL5XLijHiKYnPe54koe/2JDp9pjPEvLS15vV5yJ12Zzb2lpSWBQEC+dMbAAGB/4TvH7CAHDx5MTEwkmty/KCsoKDAYDLOzs2q1Ojo6OjMz02g0EpUu7lE+E3gGTO989erVhw8fLBaL0+msr68/f/7806dPfUptbW2FhISMj48TqSUkxJ8fXJBdkkgk+B8PTp8+fePGjW/fvhG5TavVVlRU9PX1iUQih8ORn5/P8yA8f5TF3wT/fuVFd57Pieh7+afDf5p/+PcIAcC+hPtrDlu1hHGIsVY2ODhI1HnIeDye2NhYoqpAaWIYZjKZVCqVRqN58+YNhmG9vb21tbUJCQlOp9PnKJ8JRNhs0UqlUrPZzO2P2WyWyWQ8HUMQhLt0g7HUyoio6C4xsrS0JBQKyUH6rLrgB6Hob2xshISEkOt+9MoPRjKBrk8R5F8rozjP50R0c/jrUKR4bsdWK7Pb7XgnY62MAuEepVY2ODgItTLgL8D/HONyuYRCoc1mozTx98eioiKHw2GxWDIzM3U6HaFAlKGNRuOpU6eIfkoTRyqVSqVSfInD4YiKisrMzOQ56nMC3s8RbVtbm0qlmpqacjgcNTU1RqMRw7Dp6en8/Py3b98uLy+jKFpRUaFWq8nn4nCsuro6KysL//Ta2dnZ2tpK8QT7PcfQo2J0iRGpVNrb27u2tmaz2bRaLf3divEgdH2VSlVRUbG4uGiz2bKzs3EdNhPo74YUwY2NDaFQaLVaPR4PhmEVFRUajQZFUYvFcvbs2Z6eHg7nGU9EFqQHz18Hoz3PPrdji7+oqEir1drtdovFkpGRQegTt8zmHoZhWq2WfOmMmwLA/sL/HINhmE6ni4iI6O/vJze7u7sRBOno6JBKpTExMdevX9/c3KSr3b59u7m5mZCiNHFKSkqKioqIplKpJM/hHuWeQP7WxRatx+NpbGyMjY0ViURarXZ5eRnDMLfbrdPpFApFWFiYVCotLS1dXFwkn4vDsa2trbq6OplMFhERUVBQgH8EZvw6yBYVo0uMGI1GpVIpEokSEhLq6+vpOYbxIHT9mZmZ3NxcBEHS09N7enpwHca19LMwBtzU1EQ8My6Xq7KyMjY2ViaT6XQ64j2U0XnGE5EF6Xv9Jx3s9+fZ53Zs8S8uLqrVagRBUlNTOzo6eDqPDzkcjry8vIiIiLS0tAcPHjBuCgD7Cx85xg94frVXKBTv379na+4ae60QQc4x9NFAu7Tj+rt5rcF6hDiwWq1SqdS/tZTPcwCwT9nVv/mT+fLlC0cTYCTQLu24/m5e6x58hMxmc1paWrCjAIBgErQcA9D59euXyWSSyWTBDgTwn/v37yclJWk0mtnZ2ebm5paWlmBHBADBBHLMHqKyslKv1z979izYgQD+k5OTU1dXd+vWraNHj9bW1paVlQU7IgAIJgcwDAt2DAAAAMDfSfD/RxkAAADwtwI5BgAAAAgUkGMAAACAQAE5BgAAAAgUkGMAAACAQAE5BgAAAAgUkGMAAACAQAE5BgAAAAgUkGMAAACAQAE5BgAAAAgU/wLzWDQV1kHf3gAAAABJRU5ErkJggg==) --- HTTP POST data: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGyElEQVR4nO3dYWgSbxwHcLds2Xa2CWrLHM0VFVE2YtgCW2MvVpCIkHsntEBWL2wvRoy1F2EEW0RR7IWvCtze9G6ELyKWRMjeLcxKnBMZKm4zMadiMMR5/xeGjLvz7tZ22fp/P692x/N8n989g/vhM2F1JEmKAAAABFBf6wIAAOCfhR4DAABCQY8BAAChoMcAAIBQ0GMAAEAo6DEAACCUbfQYjUbz5csXgerY9XBBq63hWgAAewjfHvPt27dSqXT+/Hkhitj1cEGrreFaAAB7C98e43K5jEbjtqKj0ahUKhUonE8g/wJ4Ygz8veKz2ezk5ORvLCe0miwKAP8qAXvMsWPHUqmUQOF/OHDX18pkMhMTE0LUAwDw9+DVY9bW1kKhUG9v73bTDxw4IFz4Hwv8S9YCANhzePUYl8vV39+/f/9+ljELCwuXLl06ePCgQqEYGBhYWVmhnLosLCxcvnxZKpUePXr0xo0bi4uLlHDK+Gg0KpPJWKaXx09OTioUiiNHjrx69Yq92p8/f96+fVuhULS1tT18+HBzc7N8f3Nz8/79+4cPH25qahoYGPjx4wfj43DuDGMOY1Q2m21vb8/n83V1ddPT0zyXq1b/2tra9evXpVKpRqN59uzZ1k1j3/yVlZWrV682NTUdP378+fPnjBMBAHaCb4/hPA7yer1DQ0OJRMLv96vVapvNRhlgMBgGBwdjsdj8/Lxer5dIJPzDq03P5/PBYNDv9zudTr1ezx44PDy8urrq9XrfvXvncrkcDkf5/pMnT9xut9vtDoVCKpUqEAjweRz6Wow5jFHNzc3BYJAgiI2NDYvFwnO5avXbbLaGhoZwOOx2u2dmZvjvns1mO3ToUDAYnJubczqdnL8CAIBtI7nk83mCINLpdPlybGzsxIkTRqPx48ePJEm+ePEik8lQpoTD4dbW1kgkQhBE+U46nRaLxRsbGyzhW8eXL1taWlimRyIRkUhUKYw9sFgsEgSxvLxcvnS5XN3d3eWflUql1+tl2YHy49ArpOwMZw5LFOeYavUXi0WJRFK5Pzs7W9m0CsbdK0+MxWKUiSyFAQBsl5izCc3Nzel0uvJByvr6+urq6uzs7KdPn+7cuROJRPR6/eDgoEgk+vz58+joaCAQKBQKpVKpVCptDZHJZGazubu7u6+vT6VSdXV1XblyhRLOotp0giAoc6sFJpPJQqGg0WjKl6dPny63qGw2m06ntVotZTz749DXqpbDM4pzTLX6k8lkqVTaep8ezrh7yWRSJBK1tbWxTAQA2CHus7Ktx0EymWx6evrcuXO3bt1aXFxMJpPv379vbm4WiUQmk6mnp8fj8fh8vrdv39JzXr9+/fLlS61WWygURkZG7t69K9rOl7IYp7NXy9++ffsodzgfh3Eteg7PKD5jdoLn7gEA7DL2jznFYlEul1eOYqpJJpNisbhy6fP5WlpaWE5dfD6fWq2mhOdyufr6+lwuV76cn5+nH/tsnU7PpwTyPyvz+Xycj0MPpOwMPYdnFM/lWM7KIpFI+T7jWRlFZfO3npW9efMGZ2UAsOs4eozH4zl79iyfIKVS6XA4MplMKBQymUyUHhMIBK5du/bhw4dUKhWLxaxWq8FgoIfrdDqr1ZpIJEKhkF6vr7wuGafT34aUwFwuJxaLg8FgsVgkSdJqtRqNxlgs5vf7L1y4MDU1VR42MTGh0+m+fv0aj8dtNpvH42F8HEogvXjGnGpR+XxeLBaHQiGWMTzrN5vNJpMpEon4/X6tVlvZtMofYBh3jyRJk8lkNpvj8bjf7+/s7GRcFABgJzh6zL1798bHx/kEeTyerq4uiUTS2to6MjJC6TGFQsFut588ebKhoUGpVFoslkQiQQ8Ph8N9fX0EQZw5c2ZqaqryumScTu8x9MCxsbHGxkan00mSZD6fHxoaksvlarXabrdX3qHFYnF0dFQul0skEpPJlEqlGB+HEkhfizGHJcput1dq41yOpf5EImEwGAiCaG9vf/z4Mf3jCOPukSQZj8f7+/sbGxs7OjqePn3KuCgAwE7UkSTJcpJ26tSpmZmZixcvCnFMt+vhglZbw7X4W1pa6unp+f79+3YnRqPRzs7O9fV1IaoCgP8tju+VLS0tCbf2rocLWm0N1+LP5/N1dHTUugoAgF+4v7sMf7lHjx6pVCqj0bi8vDw+Pv7gwYNaVwQA8Av+R9me19vb63A41Gq1xWIZHh6+efNmrSsCAPiF4+8xAAAAvw2fYwAAQCjoMQAAIBT0GAAAEAp6DAAACAU9BgAAhIIeAwAAQkGPAQAAoaDHAACAUNBjAABAKOgxAAAglP8Ao1jYdxMAYDwAAAAASUVORK5CYII=) --- Research's Comment: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGNUlEQVR4nO3cX0hTbxgH8HdLxmme4c7aprOVVhBdhBWOqFgEXZXsQqh106igGBFGsgspIRoFOZSuEvKiwK6666KL6EIqTARtzT8dp80InW4OnMdOjXWcbevi1GHo/qi/juZv38/V3nfnfZ/n9WKP57zvpkin0wQAAEAGyo1OAAAA/rdQYwAAQC6oMQAAIBfUGAAAkAtqDAAAyAU1BgAA5IIaAwAAckGNAQAAuaylxkxOTmo0GqnJ83xLS8vfSymn2dlZu93OMIxCoVAoFCaT6caNGwsLC+sQerWW/IkAAIrTX7iP+fr16/379//7PAU5nc5EIjE4OCgIgiAIb9++ZVnW4/GsQ+jVqqqqikajG50FAMAGU6zht2QmJyf379///fv3rE2ZLC4uqtXqcDhsMBikzr6+PqfTOTQ0JGtoAABYm8L3Me/fvz969OjWrVsNBoPdbg+FQpnv8jxfXV0di8UUCsXTp08JIQsLC5cvX9ZoNFVVVXfu3Ekmk+TPs6OWlhaDwWAymZ48eSL2PHjwYNeuXQzDnD9/nuf5PBEjkYhKpRILTF9f3549exiGefny5fT0tDR/W1tbeXk5wzAXL1788eOHOFsymbx161Z5eXlpaandbp+bm5OiHD9+XKPRbN++/cyZM6Ojo5nrypNe1gUuIQ7PkxUAQDEoXGN8Pp/T6YxEIizLms3mhoaGzHfLysrGxsZomhYEweFwEELu3r0bj8eHh4dfvXrV3d3d0dEhXhmLxcbGxliW7ezstFqtYs/w8HBvb29/f38wGGxubs4TMZVKKZW/s21oaDh37lwgEPD5fKlUSpq/v7/f6/V6vV6fz9fa2ir2t7a2dnV1dXV1BQKByspKv98v9ttstkuXLgWDwZ6eHqvVSlHUkoXnSi/XArPKlRUAQFFIr8bnz58rKiomJiZompY6lzT1en0sFhNfDw4OHj58WLyGEMJxXOYoQsi3b9/EZk9Pz+7du3NFzIwSj8eVSmU0Gk2n069fv9ZqtdJswWBQHPX8+XOLxSK+NhqNPp9vybQcx5WUlAiCkGuledLLusDlw2mazpMVAEAxKClYhAYGBpqamvx+fyKRSKVS0n1DVvPz89FotLq6WmymUqmSkt8haJpmGCbzYpqmpcNXZrOZ47iVROQ4TqVSbdu2TRwl9VMUtWPHDvH1vn37gsEgIYTneY7jampqluTJMMzZs2ePHDly8uTJyspKi8Vy4sSJJddkTS/PArPKmhUAQJEoXGPq6+uvXLnS0dFBUdT09PSpU6fyXCwIglKp9Hq90iev9IBr5fJHzHxolr/gSbZs2bK889mzZx8+fGBZNhwOu1yuY8eOPXz4sOBUf2WBAABFokCNmZ2dDYfDt2/fFpsFz+OaTCa1Ws1x3KFDh9aWUK6ISqVSrCg6nU4QhPn5eYZhMm8LBEGYmpoSbxoCgcDOnTsJIWVlZTqdbmho6MCBA8tj1dbW1tbWEkLq6upsNttKasxqF5g1KwCAIlHgf3CDwaDT6R49esTz/Pj4uNvtJn8+5T99+iQeqdLr9YIgjI+Pi0McDse1a9dGRkZmZmba2tru3bu3qoSyRhSjJBKJgYGB0tJSq9Xq8XhmZmba29szx7pcrlAoNDIy4na7bTab2NnY2Oh0Oj9+/BgKha5fv/7u3TtCyOjo6OnTp9+8eTM3Nzc1NdXe3n7w4EFCyEq+0ZlrgbnGZs0KAKAoFNyx6e7utlgsFEVVVFS4XC5xj/3mzZtqtbqzs1O8xu12S01BEBobG81ms1qtrqur+/LlS3rZuYDlPRMTE+LMuSKm02mXy3X16tV0Ou33+2tqarRabXNzs7TnT9O0x+MxGo1arfbChQvxeFwc9fPnz6amJr1eT1FUfX29eFggkUi43e69e/eqVCqj0ehwOCKRSGZKedJbyQKlPf9cWQEAFIO1fAdzAyWTyaybK+vzPdCVE/NhWfafygoAYJ1tsv3qrAUGAAD+TZusxmwKi4uLvb29meeqAQCKU+Gzy7BaTqfzxYsXjx8/3uhEAAA22CbbjwEAgE0Ez8oAAEAuqDEAACAX1BgAAJALagwAAMgFNQYAAOSCGgMAAHJBjQEAALmgxgAAgFxQYwAAQC6oMQAAIJdfPL2D2ZNr4WQAAAAASUVORK5CYII=) --- **Mirror:** [Click here to view the mirror](<http://1156556.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 5 May, 2020 16:57 GMT ---|--- Vulnerability Verified:| 6 May, 2020 08:24 GMT Website Operator Notified:| 6 May, 2020 08:24 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 6 May, 2020 08:24 GMT