Several Vulnerabilities founded in Horsys V8
Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on. The application runs on Windows and launches a web server. This product has been developped by Asys company. We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.Horsys is a human resource appliation, allowing the user to manage his profile, vacation, position title and other personnal data like address, phone number and so on.
The application runs on Windows and launches a web server. This product has been developped by Asys company.
We found that it is vulnerable to several vulnerabilities, which can lead to personal information leakage or account take-over.
Session fixation on the login page
Description
Horsys V8 login web page has been affected by a fixation session vulnerability, as the session ID is sent in the URL. The ID can be retrieved by an attacker with a simple visit and then re-used to make the victim authenticate against the application.
Following a successful authentication, the session ID gets valid, granting the attacker with all the victim’s privileges.
Access Vector: remote
Security Risk: high
Vulnerability: CWE-384
CVSS Base Score: 6.5
Proof of Concept
The attacker simply accesses to the login page, in order to retrieve an unique session ID. The attacker then sends this URL, along with the session ID, to the victim, asking her to authenticate (using a phishing pretext).
Once the victim authenticates, the session ID gets valid for the authenticated session. Then, the attacker just needs to refresh the URL in his browser to get access to the victim’s profile.
Stored Cross Site Scripting
Description
A user input field suffers from code injection, due to improper data sanitization. The injected code is stored and executed for each visit to the web page.
On the working hour arrangement page, the A30 variable is vulnarable to XSS injection.
Access Vector: remote
Security Risk: Low
Vulnerability: CWE-79
CVSS Base Score: 4.3
Proof of Concept
The following POST data allows Javascript code execution on the working hour arrangement page.
WD_BUTTON_CLICK_=A26&WD_ACTION_=&A25=1&A27=25%2F01%2F2016&A31=1&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&A7=0&A14=&A3=0&A21=
Reflected Cross Site Scripting
Description
A user input field suffers from code injection, due to improper data sanitization.The injected code is reflected to the browser, requiring user interaction to be executed.
On the day off request page, the A30 variable is vulnarable to XSS injection.
Access Vector: remote
Security Risk: low
Vulnerability: CWE-79
CVSS Base Score: 3.6
Proof of Concept
The following POST value allows Javascript code execution on the day off request page.
WD_ACTION_=AJAXPAGE&EXECUTE=16&WD_CONTEXTE_=A26&WD_BUTTON_CLICK_=&M111=&M101=&M109=&A14=&A7=&A6=&A10=&A16=&A100=5%20991%20541&A102=26%20485&A29=1&A53=Rachat%201%20jour%20Libre@%25@2@%25@@%25@@%25@0.1&A32=&A31=&A30=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&A28=27/01/2016&A27=25/01/2016&A25=1&A114=1&A35=1&A103=1&A103_DEB=1&_A103_OCC=1
Session ID exposed in URL
Description
The application sends the session id along with the URL, exposing user session to hijacking.
Access Vector: remote
Security Risk: medium
Vulnerability: CWE-598
CVSS Base Score: 7.3
User enumeration
Description
The login page allows user enumeration by displaying different messages, depending on the presence or the absence of targeted accounts.
Access Vector: remote
Security Risk: low
Vulnerability: CWE-203
CVSS Base Score: 5.3
User password divulgation
Description
The application stores user passwords in clear-text.
When using a valid session ID (see session fixation vulnerability), a user or an attacker is redirected to the login page, where the login and the password fields are pre-filled with the user actual credentials in clear-text.
Access Vector: remote
Security Risk: high
Vulnerability: CWE-200
CVSS Base Score: 7.3
SQL truncation on password
Description
Inside the user profile, the field used to type in a new password is not well designed as it truncates input data.
As as result, whereas the web form allows the user to set a 15-character long password, it actually writes only the first 8 characters in the SQL field. The flaw considerably decreases the sturdiness of user passwords.
Access Vector: remote
Security Risk: high
Vulnerability: CWE-222
CVSS Base Score: 3.9
Affected versions
- Version = 8.X
Solution
Update to version latest version 9.2.1 (so’Horsys)
Timeline (dd/mm/yyyy)
- 26/01/2016 : Initial discovery
- 25/02/2016 : Contact with vendor team
- 15/04/2016 : vendor response, vulnerability is fixed in the latest version 9.2.1
Credits
- Florian Nivette f.nivette@sysdream.com