lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 12:06:13 +0200
From: Lukasz Miedzinski <lukasz.miedzinski@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] UNIT4TETA TETA WEB - Authorization Bypass vulnerability

Title: UNIT4TETA TETA WEB - Authorization Bypass vulnerability
Author: Lukasz MiedziƄski
Date: 08. January 2015
CVE: CVE-2015-1173

Affected software :
===================

UNIT4TETA TETA WEB 22.62.3.4 - newest version

Older versions are probably affected too.


Exploit was tested on :
======================


UNIT4TETA TETA WEB 22.62.3.4 - newest version


Description :
=============

TETA Web (former TETA Galactica) is an Internet platform interoperating
with TETA HR (former TETA Personnel) application. It provides support for
the HR departments of small, medium and very large companies.

With this platform managers obtain a tool for effective management of
subordinate business units, and HR departments can transfer some of their
tasks, such as generating reports and printouts, monitoring leave days
numbers and periodic examination dates, to employees and their supervisors.


Vulnerabilities :
*****************

Authorization Bypass :
================================

Description: Unauthorized users are able to manipulate received parameters
and get privileges to modules:
- Design Mode
- Debug Logger mode

Vulnerability is confirmed by Vendor. Patch is released


Contact :
=========

Lukasz[dot]Miedzinski[at]gmail[dot]com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists