BichitroGan ISP Billing Software Insecure Direct Object Reference Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in BichitroGan ISP Billing Software version 2025.3.20. The vulnerability is located in the user management module, specifically within the endpoint that handles user profile views. The issue arises because the application fails to properly validate user authorization when accessing account information. As a result, an authenticated user with low privileges, such as a Sales role, can manipulate the user ID parameter in the request to access the profiles of other users, including those with administrative rights. This exploitation allows for unauthorized viewing of sensitive account details and could be used for privilege escalation reconnaissance.

Impact

Exploitation of this vulnerability allows low-privileged users to access and enumerate other users' account information, including details of administrative accounts. This could lead to unauthorized exposure of sensitive operational data and facilitate targeted attacks against admin users.

Reproduction

To reproduce this vulnerability, log in as a low-privileged user, such as a Sales or Agent role. Navigate to the user profile page, which can be accessed through the settings/users-view route. Once on the profile page, modify the user ID in the URL to reference other users. The system will return the account information for the specified user ID, including data from admin accounts, thereby demonstrating the IDOR vulnerability.

Remediation

It is recommended to implement proper server-side authorization checks to validate user permissions before allowing access to account data. Additionally, restrict access so users can only view their own profiles unless explicitly authorized to access other accounts. Utilizing role-based access control (RBAC) on user-related endpoints and avoiding the exposure of sequential numeric identifiers in URLs can further enhance security.