Date: Tue, 21 Jun 2016 13:58:49 +0200
From: Sysdream Labs <labs@...dream.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE ID Request : Horsys v8 multiple vulnerabilities

# Several Vulnerabilities founded in Horsys V8

Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on.

The application runs on Windows and launches a web server. This product has been developped by Asys company.

We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.


## Session fixation on the login page

### Description

Horsys V8 login web page has been affected by a fixation session vulnerability, as the session ID is sent in the URL. The ID can be retrieved by an attacker with a simple visit and then re-used to make the victim authenticate against the application.
Following a successful authentication, the session ID gets valid, granting the attacker with all the victim's privileges. 

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-384

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

**CVSS Base Score**: 6.5

### Proof of Concept

The attacker simply accesses to the login page, in order to retrieve an unique session ID. The attacker then sends this URL, along with the session ID, to the victim, asking her to authenticate (using a phishing pretext).
Once the victim authenticates, the session ID gets valid for the authenticated session. Then, the attacker just needs to refresh the URL in his browser to get access to the victim's profile.

## Stored Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization. The injected code is stored and executed for each visit to the web page.

On the working hour arrangement page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: Low

**Vulnerability**: CWE-79

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O

**CVSS Base Score**: 4.3

### Proof of Concept

The following POST data allows Javascript code execution on the working hour arrangement page.

WD_BUTTON_CLICK_=A26&WD_ACTION_=&A25=1&A27=25%2F01%2F2016&A31=1&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&A7=0&A14=&A3=0&A21=


## Reflected Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization.The injected code is reflected to the browser, requiring user interaction to be executed.

On the day off request page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-79

**CVSS Base Score**: 3.6

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O

### Proof of Concept

The following POST value allows Javascript code execution on the day off request page.

WD_ACTION_=AJAXPAGE&EXECUTE=16&WD_CONTEXTE_=A26&WD_BUTTON_CLICK_=&M111=&M101=&M109=&A14=&A7=&A6=&A10=&A16=&A100=5%20991%20541&A102=26%20485&A29=1&A53=Rachat%201%20jour%20Libre@%25@2@%25@@%25@@%25@...&A32=&A31=&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&A28=27/01/2016&A27=25/01/2016&A25=1&A114=1&A35=1&A103=1&A103_DEB=1&_A103_OCC=1


## Session ID exposed in URL

### Description

The application sends the session id along with the URL, exposing user session to hijacking.

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-598

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## User enumeration

### Description

The login page allows user enumeration by displaying different messages, depending on the presence or the absence of targeted accounts.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-203

**CVSS Base Score**: 5.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N


## User password divulgation

### Description

The application stores user passwords in clear-text.

When using a valid session ID (see session fixation vulnerability), a user or an attacker is redirected to the login page, where the login and the password fields are pre-filled with the user actual credentials in clear-text.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-200

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## SQL truncation on password

### Description

Inside the user profile, the field used to type in a new password is not well designed as it truncates input data.

As as result, whereas the web form allows the user to set a 15-character long password, it actually writes only the first 8 characters in the SQL field. The flaw considerably decreases the sturdiness of user passwords.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-222

**CVSS Base Score**: 3.9

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N


## Affected versions

* Version = 8.X


## Solution

Update to version latest version 9.2.1 (so'Horsys)


## Timeline (dd/mm/yyyy)

* 26/01/2016 : Initial discovery
* 25/02/2016 : Contact with vendor team
* 15/04/2016 : vendor response, vulnerability is fixed in the latest version 9.2.1


## Credits

* Florian Nivette  <f.nivette@...dream.com>



-- 
SYSDREAM Labs <labs@...dream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists