CVE-2017-7312 – How to get Personify API Access with one click

Recently, I was doing some pen-testing on a higher end Association Management System (AMS) called Personify. Specifically, the Personify360 7.5 platform. Some significant bugs were discovered and in the next few posts I’ll describe what they are and how they were found.

Background

Personify is a system that helps associations manage their membership fees as well as sell products via a built-in e-Conmerce platform.

The Bug

When on a Personify site navigate to the /TabId/275 URI, it should look something like this:

http://www.site.com/TabId/275

When you go there a screen similar to this will appear

tab-275

This is actually showing a list of ‘vendors’ (read: programs with API access with their usernames. The is no login required to see this data.

It gets better, if you click the edit button on any of the rows, here’s what comes up

view-edit-vendor 2

Yup all the account data is available in clear text (cut out for privacy reasons). Username, Password, Block (Personify’s version of password) as well as other information is available to copy or edit, good times.

You can even go back to the previous page (first screenshot) and click the New button if you just want to create an additional account.

Once that’s done you can use SoapUI or a similar tool to connect to their web-services using these credentials and to actions on user accounts or just to steal all the data.

To fix this issue update to the latest version of Personify by following the instructions from their email (see below screenshot)

personify-email-fix

CVE-2017-7312

Advertisements

One thought on “CVE-2017-7312 – How to get Personify API Access with one click

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s