Vision Helpdesk Serialized Insecure Direct Object Reference Vulnerability Allowing Unauthorized Profile Access

A Serialized Insecure Direct Object Reference (IDOR) vulnerability has been identified in Vision Helpdesk versions prior to 5.7.0. This vulnerability allows attackers to access user profiles by manipulating serialized cookie data, specifically the 'vis_client_id' parameter. The 'vis_client_local' cookie, which is a Base64-encoded serialized object containing user-specific attributes, can be modified to impersonate other users and access their profile information, including email addresses and names.

Impact

Exploitation of this vulnerability allows for unauthorized access to user profiles by manipulating the 'vis_client_id' in the 'vis_client_local' cookie. This access includes sensitive information such as email addresses and names. Additionally, the vulnerability enables session prediction, allowing attackers to impersonate users without authentication.

Reproduction

To reproduce this vulnerability, log into a Vision Helpdesk account and obtain the session cookie 'PHPSESSID'. Then, extract the 'vis_client_local' cookie, which contains the 'vis_client_id' parameter. Decode the cookie to access the serialized object, modify the 'vis_client_id' value to target different user IDs, and re-encode the object back into Base64. Replace the original cookie value with the modified one and send the request to the server. This will grant access to the user profile associated with the modified 'vis_client_id'.

Remediation

Users are advised to update to Vision Helpdesk version 5.6.10 or later, where this vulnerability has been patched.