Dovestones Software AD Phonebook versions prior to 4.0.0.11 contain an access control flaw in an administrative configuration endpoint that allows unauthenticated attackers to modify application settings despite an HTTP 401 response.
Incorrect Access Control
In Dovestones Software AD Phonebook before version 4.0.0.11, the
/ADPhonebook/Admin/Save endpoint fails to properly enforce authentication and
authorization. Although the endpoint returns an HTTP 401 Unauthorized response to
unauthenticated requests, the backend logic still processes and persists submitted
configuration data.
As a result, a remote, unauthenticated attacker can send crafted HTTP POST requests to this endpoint and modify sensitive application configuration settings without valid credentials.
- Product: Dovestones Software AD Phonebook
- Versions Affected: All versions prior to 4.0.0.11
- Tested Version: 4.0.0.10
- Fixed Version: 4.0.0.11
/ADPhonebook/Admin/Saveendpoint- Administrative configuration controller
- Authentication and authorization middleware
- Configuration persistence logic
Successful exploitation may allow:
- Unauthorized modification of application configuration, including LDAP and authentication settings
- Loss of integrity of security-critical configuration data
- Potential information disclosure of sensitive configuration values
- Attack Type: Remote
- Authentication Required: No
- Exploitation Method: Crafted HTTP POST request to the vulnerable endpoint
- User Interaction Required: No
Upgrade to Dovestones Software AD Phonebook version 4.0.0.11 or later, which correctly enforces authentication and authorization checks before processing configuration updates.
The vendor has confirmed and acknowledged this vulnerability.
- Discovered by: Fedrick R. Sequeira (Accenture)
- Discovery Date: October 18, 2024
- Vendor Website: http://dovestones.com