Whats is Faveo?
Faveo is a ticket-based support system that runs on the PHP-based Laravel framework. The name Faveo derives from Latin and means “to be favorable.” It offers businesses an automated helpdesk system to manage customer support and features an integrated knowledge base for self-service by customers.
I identified a vulnerability in Stable ServiceDesk Enterprise version 5.0.1. However, this vulnerability has since been fixed in version 6.0.3.
Let’s demonstrate the first vulnerability that was found:
IDOR - Insecure direct object references
The vulnerability I identified was an Insecure Direct Object References (IDOR) issue. To demonstrate this vulnerability, I used the test user provided by the demo_client platform itself.
To demonstrate the vulnerability, I first authenticated on the application by accessing my profile and then my profile page. Using Burp Suite, I was able to intercept the requests.
When intercepting the requests with Burp Suite, I noticed that our user, Demo, was referenced by the number 21, as shown in the following printout. The other parameters captured in the request would also be useful for identifying the next vulnerability.
My user Demo:
After intercepting the request, I was able to change the ID to a different number, which resulted in access to the personal data of other users registered in the system. This demonstrates the severity of the IDOR vulnerability.
Manipulating the user ID in the request resulted in access to sensitive information belonging to another user in the system. This is a clear indication of the potential damage that could be inflicted by an attacker exploiting the IDOR vulnerability.
Broken Access Control
To provide context for this vulnerability, it’s important to understand that the platform registers each user or agent within specific groups, and access to tickets is restricted based on these groups.
As shown in the following printout, when accessing “my tickets,” our customer user had four open tickets and two closed tickets.
Returning to “my profile,” I intercepted the Burp request and was able to gain unauthorized access, as demonstrated in the following screenshot:
During testing, I discovered that by removing the “client” parameter from the request to access our profile, I was able to obtain access that only the system administrator should have. With this level of access, I was able to include myself in other organizations and view all the tickets in the system, despite being just an ordinary user. This demonstrates a serious Broken Access Control vulnerability.
Removing the “client” parameter from the request also enabled me to view sensitive information such as the work phone, email, and mobile phone associated with our user profile. Furthermore, by changing the userid in the request, I could obtain this information for any user on the platform.
Result by changing the user id and removing the client from the request:
Using the method described above, I was able to view the personal data of the Aston user and the organization to which he belongs within the system.
After gaining elevated access as described above, I was able to include myself in all the organizations available in the system, even though I was just an ordinary user. This is another example of how the Broken Access Control vulnerability could be exploited to gain unauthorized privileges on the platform.
Once I had selected the organizations, I simply clicked on the submit button to include myself in them, as shown in the following screenshot. This demonstrates how easily an attacker could exploit this vulnerability to gain unauthorized access to sensitive information within the system.
Changes made successfully =)
Upon returning to the “My Tickets” section, I was able to view 25 open and 6 closed tickets, including those from other organizations.
Thanks for taking the time to read my article about the pentesting I did on Faveo. I hope you found it informative and useful. If you’re a security enthusiast like me, then you know how exciting it can be to uncover vulnerabilities and work on improving system security.
I had a blast working on this project and I’m already looking forward to exploring something new in my next article.
Anyway, thanks again for reading and stay tuned for my next adventure in the wonderful world of security testing. Until then, keep your systems secure and your coffee hot! 💀☕️
