exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Horsys 8 Session Fixation / User Enumeration / XSS

Horsys 8 Session Fixation / User Enumeration / XSS
Posted Jun 21, 2016
Authored by Florian Nivette

Horsys version 8 suffers from session fixation, user enumeration, cross site scripting, and various other vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 2cf891357719c9ee8d97ed7baefa0021b4075aec7115f053efab68a25f3f0d71

Horsys 8 Session Fixation / User Enumeration / XSS

Change Mirror Download
# Several Vulnerabilities founded in Horsys V8

Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on.

The application runs on Windows and launches a web server. This product has been developped by Asys company.

We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.


## Session fixation on the login page

### Description

Horsys V8 login web page has been affected by a fixation session vulnerability, as the session ID is sent in the URL. The ID can be retrieved by an attacker with a simple visit and then re-used to make the victim authenticate against the application.
Following a successful authentication, the session ID gets valid, granting the attacker with all the victim's privileges.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-384

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

**CVSS Base Score**: 6.5

### Proof of Concept

The attacker simply accesses to the login page, in order to retrieve an unique session ID. The attacker then sends this URL, along with the session ID, to the victim, asking her to authenticate (using a phishing pretext).
Once the victim authenticates, the session ID gets valid for the authenticated session. Then, the attacker just needs to refresh the URL in his browser to get access to the victim's profile.

## Stored Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization. The injected code is stored and executed for each visit to the web page.

On the working hour arrangement page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: Low

**Vulnerability**: CWE-79

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O

**CVSS Base Score**: 4.3

### Proof of Concept

The following POST data allows Javascript code execution on the working hour arrangement page.

WD_BUTTON_CLICK_=A26&WD_ACTION_=&A25=1&A27=25%2F01%2F2016&A31=1&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&A7=0&A14=&A3=0&A21=


## Reflected Cross Site Scripting

### Description

A user input field suffers from code injection, due to improper data sanitization.The injected code is reflected to the browser, requiring user interaction to be executed.

On the day off request page, the *A30* variable is vulnarable to XSS injection.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-79

**CVSS Base Score**: 3.6

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O

### Proof of Concept

The following POST value allows Javascript code execution on the day off request page.

WD_ACTION_=AJAXPAGE&EXECUTE=16&WD_CONTEXTE_=A26&WD_BUTTON_CLICK_=&M111=&M101=&M109=&A14=&A7=&A6=&A10=&A16=&A100=5%20991%20541&A102=26%20485&A29=1&A53=Rachat%201%20jour%20Libre@%25@2@%25@@%25@@%25@0.1&A32=&A31=&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&A28=27/01/2016&A27=25/01/2016&A25=1&A114=1&A35=1&A103=1&A103_DEB=1&_A103_OCC=1


## Session ID exposed in URL

### Description

The application sends the session id along with the URL, exposing user session to hijacking.

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-598

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## User enumeration

### Description

The login page allows user enumeration by displaying different messages, depending on the presence or the absence of targeted accounts.

**Access Vector**: remote

**Security Risk**: low

**Vulnerability**: CWE-203

**CVSS Base Score**: 5.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N


## User password divulgation

### Description

The application stores user passwords in clear-text.

When using a valid session ID (see session fixation vulnerability), a user or an attacker is redirected to the login page, where the login and the password fields are pre-filled with the user actual credentials in clear-text.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-200

**CVSS Base Score**: 7.3

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N


## SQL truncation on password

### Description

Inside the user profile, the field used to type in a new password is not well designed as it truncates input data.

As as result, whereas the web form allows the user to set a 15-character long password, it actually writes only the first 8 characters in the SQL field. The flaw considerably decreases the sturdiness of user passwords.

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-222

**CVSS Base Score**: 3.9

[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N


## Affected versions

* Version = 8.X


## Solution

Update to version latest version 9.2.1 (so'Horsys)


## Timeline (dd/mm/yyyy)

* 26/01/2016 : Initial discovery
* 25/02/2016 : Contact with vendor team
* 15/04/2016 : vendor response, vulnerability is fixed in the latest version 9.2.1


## Credits

* Florian Nivette <f.nivette@sysdream.com>



--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close