CVE-2017-7313 – How to dump Personify Customer Data with one click (2/3)

Background

When Pentesting Personify360 a hidden page was found that did not require authentication. The specific URL was:

http://www.site.com/TabId/275

In my previous post we discussed how we can leverage it to create or edit an existing API account.

In this post we will further explore the functionality available on this page.

Dumping Customer Data

When looking at the left side of the screenshot there are some more options

tab-275

If we click on Customer Management we can see the following screen

customer-harvesting

As you can see there is a place to search for customer’s in the Personify database and return the top one hundred results. Yes, it can be time consuming, but because no login is required you can write a quick python script that can go through all the combinations fairly quickly.

Once we have their customer ID’s we query the SSO database for their email, which essentially gives us their username to the system.

To fix follow the instructions in their email

personify-email-fix

CVE-2017-7313

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s