CVE-2022-34002 Personnel Data Systems (PDS) Vista 7 - Local File Inclusion
Summary
Name | Personnel Data Systems (PDS) Vista 7 - Local File Inclusion |
Product | PDS Vista 7 |
Affected Versions | <7.1.7.2 – External Applicants Security Hotfix – XA Clients Only |
State | Public |
Release Date | 2022/08/08 |
Vulnerability
Type | Local File Inclusion |
Rule | CWE-22 - Improper Limitation of a Pathname to a Restricted Directory |
Remote? | Yes |
Authentication Required? | Yes |
CVSS v3 Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
CVSS v3 Base Score | 7.7 |
Exploit Available? | No, but manually exploitable |
CVE ID(s) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34002 |
Description
The ‘document’ parameter of PDS Vista 7’s /application/documents/display.aspx page is vulnerable to a Local File Inclusion vulnerability which allows an low-privileged authenticated attacker to leak the configuration files and source code of the web application.
Proof-of-Concept
The implementation of PDS Vista 7 may vary by organization so the following proof-of-concept may not follow the same flow as other client implementations. The situation in which Assura discovered this vulnerability, the client had implemented PDS Vista 7 to accept applications for job positions. This required the creation of an account by a job application which exposed the vulnerable function.
Proxy a browser in Burp Suite or another web browser proxying tool.
Log into the system that implements PDS Vista 7 prior to the application of the patch ‘7.1.7.2 – External Applicants Security Hotfix – XA Clients Only’.
Navigate to the /application/documents/display.aspx?document= page.
At this point, the page should return a 200 OK code but the page itself will be blank in the web browser.
Add the value ‘/web.config’ to the document parameter and request the page again. See that this time we receive a response with encrypted content. This is where the vulnerability gets interesting.
In Burp Suite, find the request/response pair for the /application/documents/display.aspx?document=/web.config request.
In the response body, search for the string ‘padDiv’. Within the ‘padDiv’ section of the response body, we can see the unencrypted contents of the file requested.
This vulnerability can be used to retrieve any file contents within the root or sub-directories of the web application but not system level or above-root level files.
Exploit
There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.
Mitigation
Customers should apply the following patch - ‘7.1.7.2 – External Applicants Security Hotfix – XA Clients Only’
Credits
This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.
References
Timeline
2022-04-27: Vulnerability discovered
2022-04-27: Vendor contacted
2022-06-19: CVE #s issued by MITRE
2022-04-29: Vendor confirmed patch
2022-08-08: Public disclosure
Related Vulnerabilities
-
-
-
-
CVE-2022-34002 Personnel Data Systems (PDS) Vista 7 - Local File Inclusion (Vulnerability Research)
Copyright 2022 Assura, Inc. All rights reserved.