Headline
CVE-2023-24625: CVE-2023–24625 / IDOR in Faveo Service Desk - cupc4k3 - Medium
Faveo 5.0.1 allows remote attackers to obtain sensitive information via a modified user ID in an Insecure Direct Object Reference (IDOR) attack.
Whats is Faveo?
Faveo is an ticket based support system built on the PHP based Laravel framework. The word Faveo comes from Latin, and means “to be favourable”. It provides businesses with an automated helpdesk system to manage customer support. It has an inbuilt knowledge base for self-service by the customer.
This vulnerability on version **Stable ServiceDesk Enterprise(v5.0.1)
**The vulnerability has been fixed in v6.0.3
Let’s demonstrate the first vulnerability that was found:
IDOR - Insecure direct object references
This test uses the test user provided by the demo_client platform itself:
After authenticating on the application by going to my profile and then profile we can see the requests via Burp Suite.
Intercepting the requests we can see the first thing that caught my attention, we can see that our user Demo is referenced by the number 21 as per the printout below, the other parameters will also be of help for the next vulnerability.
My user Demo:
By interchanging the request again and changing the ID to another number we are able to get the personal data of other users registered in the system.
Result of the request manipulating the user ID:
Broken Access Control
To contextualize this failure, first we need to understand that within the platform each user or agent is registered within groups where each one can only view the tickets relevant to their access
According to the print below, we can see that going to my tickets, our customer user has 4 open tickets and two closed tickets.
Going back to my profile and intercepting the burp request I managed to gain unauthorized access as shown below:
In the request to access our profile, if we removed the client from the panel, we were able to obtain access that only the system administrator could have and we were able to include ourselves in other organizations and read all the tickets in the system, even though we were an ordinary user.
By removing the client, we can view our user’s work phone, email and mobile phone, and if we change the userid of the request, we can also obtain this data from any user on the platform.
Result by changing the user id and removing the client from the request:
We were able to view the personal data of the Aston user and the organization he is part of within the system.
Returning to our demo user, we were able to include ourselves in all the organizations available in the system:
After selecting the organizations just click on submit:
Changes made successfully
Returning to my tickets now, we can see 25 open and 6 closed tickets where we can read all tickets from other organizations proving the failure.