Sage DPW Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Internal Forms

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Sage DPW versions through 2024_12_004. This vulnerability allows unauthorized attackers to access internal forms by sending a crafted GET request. The issue arises from predictable URL patterns that can be exploited to crawl internal pages without authentication, potentially leading to unauthorized access to sensitive data and operations.

Impact

Exploitation of this vulnerability allows unauthorized access to internal forms and functions, bypassing authentication. This can expose sensitive data and operations, with certain functions inheriting the current application privilege context, potentially leading to unauthorized state-changing actions.

Reproduction

The vulnerability can be reproduced by sending GET requests to URLs with predictable numeric or alphanumeric patterns, such as A-0001.htm to A-9999.htm. This can be done manually or through automated crawling. The accessed pages may require no authentication and can include full or partial functionality, with some internal links leading to additional unauthenticated screens.

Remediation

Users are advised to update to Sage DPW version 2025_06_000.