Lucene search

K
openbugbountyGh05tPTOBB:1172525
HistoryMay 26, 2020 - 11:11 a.m.

shreyastechsolutions.com Improper Access Control vulnerability

2020-05-2611:11:00
Gh05tPT
www.openbugbounty.org
10

Open Bug Bounty ID: OBB-1172525

Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has:

&nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence;
&nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence.

Affected Website: shreyastechsolutions.com
Open Bug Bounty Program: Create your bounty program now. It’s open and free.
Vulnerable Application: Custom Code
Vulnerability Type: IAC (Improper Access Control) / CWE-284
CVSSv3 Score: 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N]
Disclosure Standard: Coordinated Disclosure based on ISO 29147 guidelines
Discovered and Reported by: Gh05tPT
Remediation Guide: OWASP Access Control Cheat Sheet
Export Vulnerability Data: Bugzilla Vulnerability Data
JIRA Vulnerability Data [ Configuration ]
Mantis Vulnerability Data
Splunk Vulnerability Data
XML Vulnerability Data [ XSD ]

Vulnerable URL:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAALaElEQVR4nO2cb2hT5xfHH2Oqsb1pE03TP6aYjBmLFFdGybrRMSeiJZQStSo4NxWLjhFEihXXQZfJ0FGnYNcV3wycL7a9EJFSpEhwEEoYrquxC1kXRG2IWShp13S3Lgtpnt+LZzzc3/3z5LYzptbzeZVz/zzne85z0tN7bnUFxhgBAAAAQB7QFFoAAAAAsGyBHgMAAADkC+gxAAAAQL6AHgMAAADkC+gxAAAAQL6AHgMAAADkiyXRY2w22/3795VMAHg+QOEBwDOn8D3m119/zWazr732mqwJAM8HKDwAyAc5eszExIRer5c9lUwmz58/r2SqZ2BgoLW1VcksFIzAnyeLy+qzEq9yHaHIJZK3RUALTxrCxMSE0Whk3PsME04dTUxMrJBw+fJloa8XN9vAy8Pin2NmZmbOnTunZKpnafaYJcKis/o8EYrcsGFDIpEorJ7FsQQLj+O41P/jdrtf3AwDLyfawrr/448/wuHw1q1bZU3gRWT16tWFlrBglmzhySbzRcww8NKi6jnm8uXLNptt3bp177//fjKZRAglk0mr1crz/IoVK7799luheenSJb1ef+HChYqKCqPReOjQob///ltp5YGBgR07dhQVFYnMXbt2XbhwgRy8f//+6tWriV+E0PHjxzdu3Mg429nZyb69s7NTqOHnn39+++239Xr9+vXr9+zZ89tvvzECJ9OJ8+fPl5eXV1VVffPNNwihf/755+jRo3q9fsOGDZ9++un8/DxC6Ouvv965cydd6pNPPjl06BBx9+abb65Zs6a8vHzv3r1PnjxR0iBKsqwXhND8/PzHH39cUVFRUlKyd+/eqakpJfGMeOfm5o4fP15eXl5TU/PZZ5/RxSmisQyd6ohEii6TLksuuHjxos1mMxqN7733Xk5tQmSDlRUvdFRSUrJ///6pqanOzs7y8vJ169YdOXJkbm6OLiuqQyXImjlrWymZslv/5MmTnTt36vX6TZs2fffdd2wB0o0QolQhFFkBSC7tSpE+evSopKTk3r17CKGpqSmj0fjjjz/m1Ay8zOTuMTzPBwIBv99/9+7dWCx25swZhFBZWdn4+Dh5lj948KDQ3LVrF8/zd+/eHRkZGRkZGR0d7enpUVpcaVDW0tLi9XrJwcHBwWw2OzQ0REyv1+tyuRhnnU4n+3an0ynU0NLScvjw4UgkMjw83NTUpNPpGIGT4+Pj48Fg8OrVq01NTQihs2fPPn36dGxsbGhoyOfzXblyBSHkcrl8Pt9ff/1FQ9u9ezdCaHR09NixY/F4PBgMWiwWt9utpEGUZFkvCKGenh6v1+v1esPhcHV1dSgUYohX8nXixIlYLDY6Ojo0NDQwMNDf35+zMAgikaKzssvyPD82Nka0RSKRrq6unHtBkQ1WSTxJwvDwcCAQiMVitbW1iURibGzsp59+evz4sdCv+kGZmtpW0iO79W63u7S0NBQK3bp1S02PYaBUIRRZAUgh7bKR2my2rq6ukydPIoS6u7udTue77777XzQDyx/M5PHjxwih2dlZYvr9/ldeeYWe4jhOeCUxyS2RSIQcv3HjRkNDA/kciUSsViu9hed5juOmp6elZiwWKy4uTqVSGGOHw9HR0XHgwAGyeGlpaSQSYZxNp9Ps29PpNNUwPT2t1WrJlWoCJ8epZoLJZOJ5nnwOBAIOh4N8bmxsvH79Ok2O1MuDBw8qKyuVNIiSrOTFbDaPjo6qEa8UbyaT4Tju4cOHxBwYGGhsbBR5l263wWCQnhJ+ll1WpG14eJitTYQ0WIZ4hNDMzAx1pNFonj59SnPy6quvks+iOhRFKgxWqbZzRi0NhGx9JpPR6XTCBYVZRQiZBLjdbka2sXKFyEIEYIW0M77F6XS6trbW4/GYTKZ4PM5wAQAY49zvYziOo8/m1dXV09PTOW/R6XQ1NTXkc21tbSQSobf7/X562e3btx0OB/1DGqFZVVVlt9v9fv/mzZtjsVh3d7fdbp+fn/d6vdu3b6+pqWGcLSoqYt8uHIkYjca2trbGxsZt27ZVV1c3NDS888477MA5jhP+ldGff/6ZSCSsVisxs9msVvtvVl0u1+Dg4J49ewYHB51OJxmj37t37/Tp06FQKJ1OZ7PZbDbL0JDTSzKZnJ6e3rJli8pdk/U1OTmZTqdtNhvdMvIj5j+itKxQm8ViYWsTLigbLEM8x3FlZWXUUWlp6Zo1a2hO6JtzUR2yUaptNXqkWz85OYkQEi4oXKq4uDgQCAhNhjBGHVKkApBy2pUiLSoq6uvr2759e29vb0VFBTNbAPB83/mvXLmyqqqKmuy/KHM6nV6v9+HDhy0tLWVlZfX19T6fj0662GfVXED5/vvvf/nll2AwGIvFOjo63nrrra+++kp9UKlUSqPRjIyM0K+0RvPvBHL37t1kmDY4OHj48GFy0OVytbe3X7lyRafTRaPR5uZmNRoYXkhi1QuW+hJOjQqLmr1YULBqEBUeeQKen5+njnieZ/98V4ns1jPQaDTr169XuTi7QtgCpGk/deoUw1c8HtdoNPF4XKU24KWG/ZijckKClWdlN2/epE/ZQjKZjMlkoiMFkYkx9vv9DoejtbX11q1bGOP+/v4TJ05UVlbGYrGcZ9VcIEsgELBYLIzApYMUjDHHcaIBDqWurs7r9RoMBjIdmpyc1Gq1Qnc0n1INIndKXsxmcyAQEB5h7JqsLzWzstnZWY1GI5xxLXpWtiBtOYNVI17qiJrSwiNehoeHqdnf39/c3IyVa1vNrEx260Wzsps3byp9v4TKlWZljDpUEiC9jKSd8S2emZmprKz84Ycf1q5dGwqFlNwBAGHxPYbnea1WGw6HRSapzra2tmg0GgwG6+vrPR4PXYGOfX0+X11dHT0uMglms9lsNpNbotFoaWlpfX29yrM5LyDHQ6FQc3PznTt3EolEJBJpb29vaWlhBC77zf/www8bGxvJr4E9PT1nz56lp7q7u7ds2ULWpKr6+/tnZmbC4bDL5TIYDEoaRElW8nLu3DmHwzE2NhaNRt1ut8/nY+yakq/29vbW1tZIJBIMBl9//fXe3l6M8ezsrFarHR8fz2QyGGOHw9He3h6Px8PhcFNTk2wliFxLl12ENuGrAmmwSuJV9hjZwuvr67Pb7T6fL5FIXL9+fe3ataTlKNW2KFGyemS3HmPscrmECy6ox4j8ylaIMHuyAmTTzvgWf/TRR/v27cMYf/7551u3bpUqBAAhi+8xGGOPx1NcXHz16lWhefHiRY7jvvjiC7PZbDAYPvjgA/qiVbjaqVOnurq66FIik3DgwIG2tjZqNjQ0CK9hn2VfQJWk02mPx2O321etWmU2mw8ePEheYy6ox6RSqZMnT1osluLiYqfTKfylmMzTaYowxj6fr6GhQafTVVZWdnR0GAwGJQ2iJCt5yWQyp0+fNplMOp3O5XIlEgnGrin54nn+2LFjJpPJYrF4PB7yMwtjfObMGbrFDx482LZtG8dxmzdv7u3tla0EkWvpsgvVJrpeGqySeJU9RrbwMMaXLl2yWq2rVq2qq6u7ceMGvUuptoWJUkqmdOsxxtFodMeOHRzH2e32L7/8ckE9RuRXWiGii2UFMNIujXRkZITjOPJ8k0qlrFbrtWvXpCIBgLICY/xsh28TExN1dXX0b3aV2LRp07Vr19544w1Zc9kwNzdnMplisZjKV8rAc2ZBhaeytpcBL0+kQL4p2L/z//333xnmsuH27dtNTU3QYJYsy7XwAGCJUPj/d3kZk0wm+/r69u3bV2ghAAAAhQF6TB6hs+xCCwEAACgMz/59DAAAAAAQ4DkGAAAAyBfQYwAAAIB8AT0GAAAAyBfQYwAAAIB8AT0GAAAAyBfQYwAAAIB8AT0GAAAAyBfQYwAAAIB8AT0GAAAAyBfQYwAAAIB88T9/Z+kaKkhEVwAAAABJRU5ErkJggg==)

HTTP POST data:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAGKElEQVR4nO3dUUhTXxwH8Nu82m3dhZM5R07aXqYPgyKGrSiyCBsiMsh6igoaFjFCRCJ8qCU+hEWQyPAxfKgeQuQ+hPRQMHzKNVeNVRLlLtMuskzqZmvMnf/DgTGubrvZ//b///f/fp52z86953cU7pf7u4JbCCEMAACABnT/dAEAAFCxkDEAAKAVZAwAAGgFGQMAAFpBxgAAgFaQMQAAoJVfyBi73f7y5UvtSgEAgAqjNmNev36dy+V2796taTUAAFBJ1GaMIAhdXV0MwyQSCYPBUPhVIpEwGo0lzl1/yuYULpRIJLasc/fu3fxaf9eiAACwaazKeYIgDA0NaVrKr+J5PpVKFY6wLFtVVaUYBACAf4qqjPn06dPc3FxbW5vGxfyyrVu3qhwEAIA/T1WvTBCE9vb26urq0tNoe+rWrVsNDQ1Go/Hs2bM/fvxYP+379+8XLlyor69vamq6cePG2toawzAzMzP79+/ftm1bfX39yZMnFxYW6OSFhYXjx48bDIbm5ub79++XLbVYi+znz5/nz583GAy7du26fv06XVShWA0zMzOHDh0yGAyNjY0nTpx48+ZNsZ1+/Phx+/bts7OzDMN8/vzZaDQ+e/asbM0AAJVKbcbQlzFlybL8/PnzcDgcDocjkcjw8PD6OZcvX15cXIxEIlNTU4IgBINBhmEikUhPT48kSbFYzGq1+v1+Otnv9+/YsSMejz9+/FhNxhQzODi4urr66tWrqampUCg0Nja2fk6xGjo7O8+dOyeK4vT09MGDBzmOK7ZTu90+MDDQ29vLMMy1a9c6OjqOHDmy6ZoBAP7zSDmyLPM8v7y8TA/n5+d5ni+cMD8/X1tbSz8wDCOKIh2fmJhwuVyKU7LZLM/zHz58oIeCILjdbsWK79+/t1gsdDLHcYUXpAvl1zIV8Pv9hWsp6jSZTLIs08/RaLS1tbX0rvM1LC8vsyybTqcVW95wp4SQTCbT0tISCARMJpMkSaVXAQCobOXfxzx58qS1tbX0X47lcRzX1NREP7e0tIiiqJiwtLSUyWTsdnt+Dr1fz87OXrlyJR6PZzKZXC6Xy+XoZIZhCi9YeCm9Xh+NRgsPi1X15cuXVCpls9noYS6XY9kNNr5hDUajsbu72+12Hz16dOfOnS6X6/DhwyV2Wl1dPTo6euzYsZGRkYaGhjI/LwCAilY+YxSNMr1en06n19bWqqqq6IgsyyXu7yp5vV6fzzc2NsZxXDKZ9Hg8ZU/R6XSNjY1qLp5Op3U6XTgczkeLTrdBk7BYDQ8ePHjx4kUsFltcXOzr6ztw4EB/f3+J5SRJ0ul0kiSpqQ0AoJKVfszJZrMmkynf2qLMZvP09HT+MBgMejwesq6DNDk5qbJXtrS0xLJs/oLRaJT2xBS9ssnJycJemaJlpxhXTOB5PhKJlNhpsRoUotGo1WottlNCyMrKisViefjwYV1dXTweL7EiAEDFK5MxoVDI6XQqBkdHRx0ORygUSqVSjx49qquro5FD77zd3d3JZDIWi+3ZsycQCBBCvn79yrLs27dvs9ksIcTn83V1dYmiGIvF9u7dOzIyQggxm83BYHBlZWVubs7r9ebv716vt/CC6jNGsejFixfdbjd9FhkeHh4cHKTzC1+0bFhDPB73eDxPnz5NpVKiKPp8vs7OzmI7JYRcunTp1KlThJChoaG2tjb1vwkAgMpTJmP6+/sHBgbWj9+5c8dms9XU1DidzomJCTpI7+83b940m821tbVnzpxZXV2lX129elWv19+7d48QIstyT0+PyWSyWq2BQIBmQCgUcrlcHMdZLJa+vr58liSTyfb2dp7nHQ7H7du31WeMYtF0Ot3b22u1WvV6fUdHB32QUlxkwxoymUwgEHA4HDU1NWaz+fTp05IkFdtpOBzmeZ4+36TTaZvNNj4+rubXAABQkbYQQkp00pqbm8fHx/ft26em7ZZIJJxO57dv336zfffv9//ZKQDA7yjzzv/du3d/pg4AAKg8+P8xAACgFWQMAABopcz7GAAAgE3DcwwAAGgFGQMAAFpBxgAAgFaQMQAAoBVkDAAAaAUZAwAAWkHGAACAVpAxAACgFWQMAABoBRkDAABa+QuzlVsCZHitjgAAAABJRU5ErkJggg==)

Research’s Comment:

![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAIHklEQVR4nO3bX0hT7x8H8GdzuKlbbrottYVaURIhXUhYLAJvKuliaFqUlVGsCCsZJGYXrQKVoovKyosCu+omupARIlJhIv2dB5t/UpH5b5rN5WzKcenO7+J8f4ex7Zzp99uY6ft1tZ2d5/m8n6P42Xk2RQzDEAAAgAgQRzsAAACsWugxAAAQKegxAAAQKegxAAAQKegxAAAQKegxAAAQKegxAAAQKegxAAAQKX+yxwwNDSkUin839sePH0VFRSqVSiQSiUSi1NTUy5cvz8/PR6jcH+R2u2tqapY76k+FX+I8/iFXyHUDgLVgpdzHGI1Gr9dLURRN0zRNv3371maz1dbWRjtXeNPT09XV1dFOEYZ/yPT0dKfTGd08ALBGrIge8/v3b4vF8uTJk/T0dKlUKpVKt23bVl1d/fLly2hHW52kUmm0IwDAmhC+x3z69Gnv3r0KhWLDhg2FhYU9PT3swd27d8fFxWk0mqKiorGxseCB8/PzZ86cUSgU6enp169fX1xc5JttYmIiNjZWo9EQQj58+LB582aVSvXq1avR0VGBDKx79+5lZmYmJyefOHHC7XaT/+8F1dTUaDSa1NTUp0+f8oV5+PDh/v37uamuXbt26tQpvqWFzOB2uzMyMjwej0gkevbsWcgqhJDFxcWrV6+uX78+ISGhqKhoamqKL7xArdnZ2XPnzmk0mo0bN964cYObnBOwCTY0NKRSqYJDBpwWPC17wt27dzMzM1Uq1fHjx8Nm8xdysSHD+xdKSEg4cuTI1NTUlStXNBpNcnLy6dOnZ2dng3+vAOAvEr7HHDp0qLS0dHh4uK2tTa/Xy2QyQojVajUajRMTEzabTafTlZWVBQ+8efPm3NxcZ2dnU1NTa2trfX0932w+n08s/idJWVlZcXFxX1+f1Wr1+XwCGQghHo+Hoqj29vaPHz86HI7KykrueG9vr81ma2ho0Ov1fGEMBkNra+uvX7/YUY2NjQUFBXxLC5khMTGxt7dXLpfTNF1SUhKyCiHk9u3bLS0tLS0tfX19aWlp3d3dAuH5al26dMnhcFit1qampsbGxkePHi3xZxwQMuDVkNN6PJ7Ozk422/DwcFVVlXA2fyEXyxeevQhtbW0URTkcjqysLKfT2dnZ+f79e7vd7l8XAP5KjCCXyyWRSGiaFjhnYGAgJSWFYRi73S6Xy7njarXa4/GwjymK2rVrF99s3MC5uTmxWOx0OhmGef36tVKpFMhgt9sJITMzM+zT9vb2TZs2ccddLpf/ycFh2Me5ubkvXrzgMgRU4ZYmcB38V81XRavVWq3WpYTnq7WwsCCXywcHB9mnjY2Nubm5AdUDrr/dbmcvoMBpIacNyNbW1iacLUDwYgXCE0Kmp6e5QmKxeG5ujrsmW7ZsESgEACufRLgDqVSqw4cP5+bm5uXlpaWl5eTk7Nu3jxDS0dFRUVHR3d3t9Xp9Ph93w8H5+fOn0+nMyMhgn/p8PolEwjcbx+VyxcbGJicnE0J0Op1wBkKIXC7ntn3S0tJcLhd3nN0mEgjDPjYYDBaLpbCw0GKx5OfnS6XSkEsLm1ygitvtdrlc2dnZAefzhQ9Za3Jy0uv1ZmZmsudkZWWxf6D/I75p/bPpdDrhbP4ThlysQHi5XJ6YmMgVWrduXVxcHHdN8N0EgL9dmB5DCHn+/PmXL19sNpvD4TCZTHv27Hnw4IHBYDh79mx9fb1MJhsdHT1w4EDAKJqmxWLx58+fub/m7G5YyNm4Uf6bZv59S3hUWHxhCCEFBQXsZprFYiktLSWE8C0tbAaBKoSQmJiYpQcOrrVydo2W8rNY1mIBYDVb1l0PRVE6nW5yclIikfgfZPdkAvZq5HJ5wJ5JyNkYhhkeHo6Pj2cYxuPxiMVidpurubmZ2+oJOYpvayjgeNgwO3bsaGlpUSqVMzMzfEvjyxBQjq+KVqulKMr/iMC+VshaS9krm5mZEYvF/ntc/3qvbFnZwi52KeGDCwnUBYC/RZjP/Ht6eg4ePPjmzZupqamRkZG6urqdO3dqNJqkpKTHjx+73e7+/n6z2cyenJSURNP0t2/f2G8NlZSUXLhwoaura3x8/M6dO7du3Qo5GyFErVZ7vd6Ojo6EhAS9Xl9bWzs+Pl5XVyeQYbmtNDgM91JBQYHJZNLr9QqFgm9pAhnUajVN0/39/QJVysvLjUbj169fx8bGLl68+O7du+Ve85iYmKNHj5aXl4+MjHR1dZnN5mPHjgVcc4VCkZOTYzKZvn//3t/f7/8lAv+Q/vimXVY2Qoj/f8sGL3a5VQBg9RBuQV6v12w2b926NTY2VqvVlpSUTExMMAzT2tqak5Mjk8lSUlJMJhP3frOysjI+Pr6hoYFhGJqmy8vLdTpdfHx8fn7+4OAg32wMw5hMpvPnzzMM093dnZ2drVQqq6qq2Gn5Ri3rPiY4DPcSRVGEEDYz39IEkjMMYzab2VXzVVlYWKioqFCr1TKZzGAwOJ1OgbfwfLU8Ho/RaFSr1Tqdzmw2LywsBF/zgYGBvLw8uVy+ffv2+/fv+98HcCEDSgdPu9xsAecHL5YvPO5jAFY9EcMw0W5z/1hcXIzKPv7s7KxarXY4HP5fEwAAgP9uRfyfPytaHxQ3Nzfr9Xo0GACAP24F9ZiocLvddXV1xcXF0Q4CALAKrfUeo9VqlUrlyZMnox0EAGAVWkGfxwAAwCqz1u9jAAAgctBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUtBjAAAgUv4HneRCqMJUxeYAAAAASUVORK5CYII=)

Mirror: Click here to view the mirror

Coordinated Disclosure Timeline

Vulnerability Reported: 26 May, 2020 11:11 GMT
Vulnerability Verified: 26 May, 2020 11:24 GMT
Website Operator Notified: 26 May, 2020 11:24 GMT
a. Using the ISO 29147 guidelines
β€” β€”
b. Using publicly available security contacts
c. Using Open Bug Bounty notification framework
d. Using security contacts provided by the researcher
Public Report Published
[without any technical details]: 26 May, 2020 11:24 GMT