The ‘document’ parameter of PDS Vista 7’s /application/documents/display.aspx page is vulnerable to a Local File Inclusion vulnerability which allows an low-privileged authenticated attacker to leak the configuration files and source code of the web application.
The implementation of PDS Vista 7 may vary by organization so the following proof-of-concept may not follow the same flow as other client implementations. The situation in which Assura discovered this vulnerability, the client had implemented PDS Vista 7 to accept applications for job positions. This required the creation of an account by a job application which exposed the vulnerable function.
Proxy a browser in Burp Suite or another web browser proxying tool.
Log into the system that implements PDS Vista 7 prior to the application of the patch ‘184.108.40.206 – External Applicants Security Hotfix – XA Clients Only’.
Navigate to the /application/documents/display.aspx?document= page.
At this point, the page should return a 200 OK code but the page itself will be blank in the web browser.
Add the value ‘/web.config’ to the document parameter and request the page again. See that this time we receive a response with encrypted content. This is where the vulnerability gets interesting.
In Burp Suite, find the request/response pair for the /application/documents/display.aspx?document=/web.config request.
In the response body, search for the string ‘padDiv’. Within the ‘padDiv’ section of the response body, we can see the unencrypted contents of the file requested.
This vulnerability can be used to retrieve any file contents within the root or sub-directories of the web application but not system level or above-root level files.
There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.
Customers should apply the following patch - ‘220.127.116.11 – External Applicants Security Hotfix – XA Clients Only’