Several Vulnerabilities founded in Horsys V8

Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on.

The application runs on Windows and launches a web server. This product has been developped by Asys company.

We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.

Session fixation on the login page

Description

Horsys V8 login web page has been affected by a fixation session vulnerability, as the session ID is sent in the URL. The ID can be retrieved by an attacker with a simple visit and then re-used to make the victim authenticate against the application. Following a successful authentication, the session ID gets valid, granting the attacker with all the victim's privileges.

Access Vector: remote

Security Risk: high

Vulnerability: CWE-384

CVSS Base Score: 6.5

Proof of Concept

The attacker simply accesses to the login page, in order to retrieve an unique session ID. The attacker then sends this URL, along with the session ID, to the victim, asking her to authenticate (using a phishing pretext). Once the victim authenticates, the session ID gets valid for the authenticated session. Then, the attacker just needs to refresh the URL in his browser to get access to the victim's profile.

Stored Cross Site Scripting

Description

A user input field suffers from code injection, due to improper data sanitization. The injected code is stored and executed for each visit to the web page.

On the working hour arrangement page, the A30 variable is vulnarable to XSS injection.

Access Vector: remote

Security Risk: Low

Vulnerability: CWE-79

CVSS Base Score: 4.3

Proof of Concept

The following POST data allows Javascript code execution on the working hour arrangement page.

WD_BUTTONCLICK=A26&WDACTION=&A25=1&A27=25%2F01%2F2016&A31=1&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&A7=0&A14=&A3=0&A21=

Reflected Cross Site Scripting

Description

A user input field suffers from code injection, due to improper data sanitization.The injected code is reflected to the browser, requiring user interaction to be executed.

On the day off request page, the A30 variable is vulnarable to XSS injection.

Access Vector: remote

Security Risk: low

Vulnerability: CWE-79

CVSS Base Score: 3.6

Proof of Concept

The following POST value allows Javascript code execution on the day off request page.

WDACTION=AJAXPAGE&EXECUTE=16&WDCONTEXTE=A26&WD_BUTTONCLICK=&M111=&M101=&M109=&A14=&A7=&A6=&A10=&A16=&A100=5%20991%20541&A102=26%20485&A29=1&A53=Rachat%201%20jour%[email protected]%[email protected]@%[email protected]@%[email protected]@%[email protected]&A32=&A31=&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&A28=27/01/2016&A27=25/01/2016&A25=1&A114=1&A35=1&A103=1&A103_DEB=1&_A103_OCC=1

Session ID exposed in URL

Description

The application sends the session id along with the URL, exposing user session to hijacking.

Access Vector: remote

Security Risk: medium

Vulnerability: CWE-598

CVSS Base Score: 7.3

User enumeration

Description

The login page allows user enumeration by displaying different messages, depending on the presence or the absence of targeted accounts.

Access Vector: remote

Security Risk: low

Vulnerability: CWE-203

CVSS Base Score: 5.3

User password divulgation

Description

The application stores user passwords in clear-text.

When using a valid session ID (see session fixation vulnerability), a user or an attacker is redirected to the login page, where the login and the password fields are pre-filled with the user actual credentials in clear-text.

Access Vector: remote

Security Risk: high

Vulnerability: CWE-200

CVSS Base Score: 7.3

SQL truncation on password

Description

Inside the user profile, the field used to type in a new password is not well designed as it truncates input data.

As as result, whereas the web form allows the user to set a 15-character long password, it actually writes only the first 8 characters in the SQL field. The flaw considerably decreases the sturdiness of user passwords.

Access Vector: remote

Security Risk: high

Vulnerability: CWE-222

CVSS Base Score: 3.9

Affected versions

  • Version = 8.X

Solution

Update to version latest version 9.2.1 (so'Horsys)

Timeline (dd/mm/yyyy)

  • 26/01/2016 : Initial discovery
  • 25/02/2016 : Contact with vendor team
  • 15/04/2016 : vendor response, vulnerability is fixed in the latest version 9.2.1

Credits