logo
DATABASE RESOURCES PRICING ABOUT US

gohanggliding.com Improper Access Control vulnerability OBB-1232749

Description

Following coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147](<https://www.iso.org/standard/45170.html>)** standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence. Affected Website:| **[gohanggliding.com](<http://gohanggliding.com>) ** ---|--- Open Bug Bounty Program:| **Create your bounty program now**. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| **[IAC (Improper Access Control)](<https://www.owasp.org/index.php/Broken_Access_Control>)** / CWE-284 CVSSv3 Score:| 6.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N] Disclosure Standard:| Coordinated Disclosure based on **[ISO 29147](<https://www.iso.org/standard/45170.html>)** guidelines Discovered and Reported by:| **Badalsardhara2 ** Remediation Guide:| **[OWASP Access Control Cheat Sheet](<https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Access_Control_Cheat_Sheet.md>)** Export Vulnerability Data:| Bugzilla Vulnerability Data JIRA Vulnerability Data [ Configuration ] Mantis Vulnerability Data Splunk Vulnerability Data XML Vulnerability Data [ XSD ] Vulnerable URL: ![](data:image/png;base64, iVBORw0KGgoAAAANSUhEUgAAAiEAAAAjCAIAAADNIk3yAAAACXBIWXMAAA7EAAAOxAGVKw4bAAANk0lEQVR4nO2cf0hb1xfA39IY39LXJAsh2Eza6EQdFBecOCvi3ChDQpCsSCnOdTJESgmriAwnm4S2OCcOigURKUPK5v4Z0kkRGZlIlgURJ1kWXBaKi1n2CE4kOichS3u/f9zv7vfxfvliG83Xnc9fuffde865557ree/e93wGIUQBAAAAQA5QHbUBAAAAwLEFcgwAAACQKyDHAAAAALkCcgwAAACQKyDHAAAAALkCcgwAAACQK/Iix5SUlPz4449SReCQyZH/j/20HpsBHpuBAPnA0eeYn3766fHjxy+99JJoEThkcuT/Yz+tx2aAx2YgQJ6wT45ZX18/deqU6KXt7e2PP/5YqqicmZmZlpYWqaJCZOzMKVy9Mjasr68/99xz8m3yhIP5P0diDxxUUuTO/3iAb7/99vXr10nld999V1BQsL29TWpeffXVW7dunTp16ueffyaVX3zxRUVFxaNHj/7888/r16+fPXv22Wefraio+OSTTx49esSzfF8V58+fLywsFJWPi3fu3CkpKTl58uQrr7zy7bffig5EyZC5zuTOVP4HOXCoIFmi0SjDMEouybSUp7a29ptvvpEqKuTA2p8Qnt5UKiXVzGAwyLfJEw7m/xyJzcW05sj/eIATExPV1dWkcmBggKKo6elpXEyn0zRNBwKB7u7uK1eukGZVVVWTk5MIodbWVqfTGQ6HNzY2PB5PU1PT0tISbkNcoUTFW2+9JSofITQ6OlpaWjo/P7+5ufnVV1+ZTCafzycciMJRE2cqXAjAv5AjzjEsyxoMhnQ6LVpUTp7kGJlmJMfkMwf2f47EHtW0ZgsZYCQSUavVOzs7uL6+vr6qqsrlcuGiz+fDYcCyLMMw0WgUITQ7O1taWprJZPb29tRqdTKZFFVBXKFEhah83MBisczPzxOx4+PjDodDOJBsPfD/MlPA4aMox9y+fdtqtRqNxvb2drwGkskkeRKanJzkFj/99FOGYYaHh81ms8FguHLlyt7enpT88fHxS5cuiRZZlrXb7QzDWK3WkZER8jd6d3e3q6vLZDIVFxe73W68eKTsRAgtLS3V1dXRNG0ymVpbW+PxOGk/MjJitVoNBkNbWxtpL6VXtJ67tHjLLB6Pv/HGGwzDlJeXDw4O8tofwAAumUymr6/PbDZrtdrW1tbNzU0p53AVabXaS5cubW5u9vb2mkwmo9HY0dGxu7sr9L/yXk6nc3h4GP8OBAIajYYMpKurq7e3lzetqVTq3XffZRjmzJkzAwMDePrW1ta0Wu3KygpCaHNz02AwzM/P82JMtK+MG/HUNzQ0MAxjsVguXry4urrKmyN5dykRKIxbi8UyNzeHENrZ2aFpemZmprKyEl8aGhpqaWnBv10u17Vr1xBCjY2NExMT2Bi1Ws2dDi5cy5WoEMpH/yxbbgpJp9M4FQkHwkU++HkzxXOyTF9RP8ss8MHBQZPJVFRUdPfuXalYAvKN/c/8d3d3A4GA3+9fWlpiWbavr4+iKL1eHw6HGYZJpVLt7e3c4ptvvrm7u7u0tLS8vLy8vLyysjI8PCwlXOYwxuVyaTSahw8fejyee/fukTbvvfcey7IrKytzc3MzMzNjY2MydlIUtbKy0tXVlUgkQqFQcXGxy+Ui7YPBIG4fi8X6+/vl9UrVS+FyuXQ63erq6uzs7NTUlKhjszKAy/DwsMfj8Xg8kUjEYrGsrq7KOAd7xufzBQIBlmUrKys3NzeDweDi4mI0GiV6ef5X2MvhcHg8Hvz7wYMHjx8/npubw0WPx2O323lib9y4sbe3FwwG5+bmvF7v+Pg4RVElJSX9/f3d3d0URQ0MDNjt9tdee40XY1J9pdyIbevo6IjFYj6fr6GhgaZpnhul3JWtQO4Am5qafD4fRVELCws2m625uTkej//+++8URfl8vqamJtysr69vamrq66+/jkajHR0dFEWdPHnSbrdfvnz5+++//+uvv0TnXbkKoXw8NJqmCwoKiKiCgoKzZ8+KBgAX+ZgUzpSSvlJ+llng4XA4FApNTk42NDRQEvEA5B3yKSgajVIURR7M/X5/aWkpuSS6V4a7xGIxXD89PV1TU4N/x2Ixq9VKuuzu7jIMs7W1JSxmMhmaptfW1ogQfPuTyWQYhiH1MzMzdXV18nZyefjwYVFRkbC9z+fD7WX0itZLPcfg9lwnCJ9jsjKAh9lsxnf9XESdgxWRm0Sfz6dSqciTpd/vLysrE/pfeS+WZbVaLd5/r62t7enpaWtrwxJ0Ol06nebNsslkIrfqgUCgtrYW/06n05WVlW6322QyJRIJoUtF+0q5ESG0tbWlVqt5BwO8OZJyl3KBSBDGExMTTU1NCKHu7u6BgQGEkMPhwM9hRqNxeXmZdLx69SpN02NjY6RmZ2enr6+vvLxcrVaXlZWRu3ie5QpVCOVzheCnUpPJRAbIGwgh2+AXLgTRvlLxL7PAebZJxRKQV2R3HsM9V5DJMTRNk/rV1VWz2Yx/ZzIZlmXJpenp6ddff120yLKsRqPhCiEb2dz6SCRCcoaUnSsrKxcuXLBYLHifR7g8uO0V6iX1UkuLZVmeE0T3ypQbwCWZTKrVauHOgKhzZDzDK3L9r7wXQshms83PzycSieLi4mQyaTabM5nM3bt3L168yBO7tbVFUZTpH4xGI4kNhBB+HhodHeUqImaI9pW38/LlyzabraenZ2RkZGFhAQnmKFt3CQUiQRiHw2GtVptOp8+dO+f1ehFCo6Oj7e3twWBQp9NxZy0YDNI0LXo8nkql/H5/XV3dhx9+KHSFQhVC+fF4nIRlMpmMx+OLi4uiAcAl2+CXcbJoXyQd/1ILHO0XS0D+oD6s5yWKoqgTJ06cPn2aFJ/KW8v74nQ6Ozs7x8fHaZqOx+PNzc1PXcWRcOLEiacr8MD+t9vtHo9nbW3N4XDo9Xqbzeb1ekU3ylKplEqlWl5eVqv/G3gq1f92axOJhEqlSiQSolpE+6bTaRnDvvzyyx9++CEUCrEs29PTU19f39vbe4ABygi8c+cOz28VFRUGg2F2djYWi9XV1VEUdeHChaGhofr6+oaGBu6s6XQ6tVpdWFgoVFRYWHj+/HmcOW7evMm7qlCFUD7ezvr7778LCgr0er1er9/Y2NBqtfhqjhZgjpCPJSB/yMmspFKp3377Df+ORCJnzpwRtnn06NGDBw9ITPOKZrNZpVKtr6/jYjgcJvUajebXX38l9VarVcaSP/74g2XZjz766IUXXnj++eeFO/I8ZPSK1svIoSiK6wT59vsawEWv1xuNRuGX2Nk6hwvP/1mBj2TIXyin03n//v2FhQW73c4Te/r0aa1Wu7W19fw/kHuO7e3t3t7eqamp8fFx7rcdBJm+Mrz88svvvPPOBx988Nlnn92/f5976WDu4gkU9VtjY6Pb7W5sbMQnHy+++KJKpcIbXPLCeccwqVQqk8mItjyYCr1eb7FY/H4/qZmfn6+qqqJkAyDb4H+Svson5WDxABwB8o85MlsH+DWYSCTCK+KdU/wGVygUstlsbrebSCBP7l6v99y5c6SeV0T/fCsQjUZDoVBVVRXR29nZ2dLSEovFQqFQdXU13lqRsdNsNo+NjSWTyUgk4nQ65R/VZfSK1u/s7KjV6nA4TF5JIjKdTifXCQr3ymQM4G56DA4O1tbWBoPBeDzucrnwhomocxTuevH8n9VeGXay2WzGFsbjcZ1OZ7PZRKf16tWrdXV1+FFgeHj4xo0buP7atWv4jaZbt27hwwYkiDFhXxk7V1dXm5ub8YcgsViss7PT4XDw2mflLlGBwgEihPDhM3fTD5+6k49dRJ0cDofNZvPExATLsslkEkseHBwUbaxEhej7xOT7mI2Njc8//9xoNPr9ftGZ4sabaExy5XNniqd33748PytZ4BipWALyioPnGISQ2+3WarXk8y5cxO8uDw0NCd9d5h059vf3E1G8IkIokUg4HA78yuPQ0JCSd5dF7fR6vTU1NTRNFxUV9fT07BviUnql6vv6+rATZN5dFr7uma0BvPaZTOb99983mUw0TTudzn3fXZaaQVLk+T/bHNPW1tba2kqKNTU1WJpwWlOpVHd3d3FxsVartdvt+HR3eXmZYRj8ikQqlbJarffu3cPtuTEm7CtjZzqddrvd5eXlGo3GbDa3t7cnEgle+6zcJSpQOECEEL5bJ282I4SmpqYYhuEdoQn/bs7OzjY1Nel0Oq1WW1VVRd45FjZWokL07zJCaHR01Gq1ajSa6upq8q2MfAAoiUkyUwfoy7t53XeBY0RjCcg39skxB0AqsnmUl5cvLi5KFXngW7ynY182SOk9NHsOTZG8//NNbP5wbAaofCBPEpNHtZCBI+RQz/y5/PLLLzJFHoFAoLS0NMcWZaH30Ow5NEXy/s83sfnDsRmg8oE8SUwe1UIGjpAjyzH7cvPmTYvF0tLSsra21t/fj/8v0xHqPTR7jmrgACDFk8QkxPO/naf+ZKRwr2xfvF5vdXW1RqMpKyu7ffv2kwt8Qr2HZs9RDRwApHiSmIR4/pfzDELoqNMcAAAAcDyBr5YAAACAXAE5BgAAAMgVkGMAAACAXAE5BgAAAMgVkGMAAACAXAE5BgAAAMgVkGMAAACAXAE5BgAAAMgVkGMAAACAXAE5BgAAAMgV/wGoo6SElfWacAAAAABJRU5ErkJggg==) --- **Mirror:** [Click here to view the mirror](<http://1232749.openbounty.org/mirror/>) ### Coordinated Disclosure Timeline Vulnerability Reported:| 20 July, 2020 11:03 GMT ---|--- Vulnerability Verified:| 21 July, 2020 10:02 GMT Website Operator Notified:| 21 July, 2020 10:02 GMT a. Using the ISO 29147 guidelines| ![](/images/done.png) ---|--- b. Using publicly available security contacts| ![](/images/done.png) c. Using Open Bug Bounty notification framework| ![](/images/done.png) d. Using security contacts provided by the researcher| ![](/images/done.png) Public Report Published [without any technical details]:| 21 July, 2020 10:02 GMT Vulnerability Fixed:| 21 July, 2020 14:13 GMT ---|---