Benner ModernaNet Insecure Direct Object Reference Vulnerability

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in Benner ModernaNet versions prior to 1.1.1. The issue is located in the '/AGE0000700/GetImageMedico' endpoint, where the 'fooId' parameter lacks proper validation. This flaw allows remote attackers to manipulate the 'fooId' value to access sensitive information about other objects, such as details of registered doctors, potentially leading to unauthorized disclosure of confidential patient or doctor data.

Impact

Exploitation of this vulnerability allows unauthorized access to sensitive information about doctors and other related objects within the system, compromising the confidentiality of this data. Such access could include breach of confidential patient or doctor records, as well as other sensitive system information.

Reproduction

To reproduce this vulnerability, send a GET request to the '/AGE0000700/GetImageMedico' endpoint with a valid 'fooId' parameter. The response will include data related to the specified doctor or object. By changing the 'fooId' value to correspond with other IDs, different sets of sensitive data can be accessed. If an invalid 'fooId' is used, the application will return a default image, which could mislead an attacker into thinking they have valid access.

Remediation

Users are advised to upgrade to Benner ModernaNet version 1.1.1 or later.