exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Horsys 8 Session Fixation / User Enumeration / XSS

Horsys 8 Session Fixation / User Enumeration / XSS
Posted Jun 21, 2016
Authored by Florian Nivette

Horsys version 8 suffers from session fixation, user enumeration, cross site scripting, and various other vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 2cf891357719c9ee8d97ed7baefa0021b4075aec7115f053efab68a25f3f0d71

Horsys 8 Session Fixation / User Enumeration / XSS

Change Mirror Download
# Several Vulnerabilities founded in Horsys V8

Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on.

The application runs on Windows and launches a web server. This product has been developped by Asys company.

We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.


## Session fixation on the login page

### Description

Horsys V8 login web page has been affected by a fixation session vulnerability, as the session ID is sent in the URL. The ID can be retrieved by an attacker with a simple visit and then re-used to make the victim authenticate against the application.
Following a successful authentication, the session ID gets valid, granting the attacker with all the victim's privileges.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-384

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

**CVSS Base Score**: 6.5

### Proof of Concept

The attacker simply accesses to the login page, in order to retrieve an unique session ID. The attacker then sends this URL, along with the session ID, to the victim, asking her to authenticate (using a phishing pretext).
Once the victim authenticates, the session ID gets valid for the authenticated session. Then, the attacker just needs to refresh the URL in his browser to get access to the victim's profile.

## Stored Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization. The injected code is stored and executed for each visit to the web page.

On the working hour arrangement page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: Low

**Vulnerability**: CWE-79

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O

**CVSS Base Score**: 4.3

### Proof of Concept

The following POST data allows Javascript code execution on the working hour arrangement page.

WD_BUTTON_CLICK_=A26&WD_ACTION_=&A25=1&A27=25%2F01%2F2016&A31=1&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&A7=0&A14=&A3=0&A21=


## Reflected Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization.The injected code is reflected to the browser, requiring user interaction to be executed.

On the day off request page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-79

**CVSS Base Score**: 3.6

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O

### Proof of Concept

The following POST value allows Javascript code execution on the day off request page.

WD_ACTION_=AJAXPAGE&EXECUTE=16&WD_CONTEXTE_=A26&WD_BUTTON_CLICK_=&M111=&M101=&M109=&A14=&A7=&A6=&A10=&A16=&A100=5%20991%20541&A102=26%20485&A29=1&A53=Rachat%201%20jour%20Libre@%25@2@%25@@%25@@%25@0.1&A32=&A31=&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&A28=27/01/2016&A27=25/01/2016&A25=1&A114=1&A35=1&A103=1&A103_DEB=1&_A103_OCC=1


## Session ID exposed in URL

### Description

The application sends the session id along with the URL, exposing user session to hijacking.

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-598

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## User enumeration

### Description

The login page allows user enumeration by displaying different messages, depending on the presence or the absence of targeted accounts.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-203

**CVSS Base Score**: 5.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N


## User password divulgation

### Description

The application stores user passwords in clear-text.

When using a valid session ID (see session fixation vulnerability), a user or an attacker is redirected to the login page, where the login and the password fields are pre-filled with the user actual credentials in clear-text.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-200

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## SQL truncation on password

### Description

Inside the user profile, the field used to type in a new password is not well designed as it truncates input data.

As as result, whereas the web form allows the user to set a 15-character long password, it actually writes only the first 8 characters in the SQL field. The flaw considerably decreases the sturdiness of user passwords.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-222

**CVSS Base Score**: 3.9

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N


## Affected versions

* Version = 8.X


## Solution

Update to version latest version 9.2.1 (so'Horsys)


## Timeline (dd/mm/yyyy)

* 26/01/2016 : Initial discovery
* 25/02/2016 : Contact with vendor team
* 15/04/2016 : vendor response, vulnerability is fixed in the latest version 9.2.1


## Credits

* Florian Nivette <f.nivette@sysdream.com>



--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close