| Titel | Control iD RH iD v23.3.19.0 - Broken Access Control allows a low-privilege user access to high-privilege functions |
|---|
| Beschreibung | PoC:
1 - We will log in with a low privilege account, that is, an employee
Low privilege (employee) account for validation:
Login: [email protected]
Password: 123456
(This account has a single function, which is to "Catch a Time" for when the employee starts the work day.)
https://rhid.com.br/
2 - With an administrator account, I enumerated the paths that only high-privilege users can access, and then tested those paths with the employee account, the low-privilege one.
In the employee account, when trying to inject these paths, we were able to successfully access!
Some of the paths:
/v2/#/list/device (We managed to delete the registered devices (danger!))
/v2/#/configuracoes (We were able to add information on behalf of other users.)
/v2/#/list_signature (Subscription Requests)
/v2/#/export_folha (Export Payroll (critical action!))
/v2/#/atestado_tecnico (Request a medical certificate)
/v2/#/device_monitor (iDCloud Monitoring)
Having access to various functions and information in which only administrator users have.
In short, you will basically log in with the account and access these endpoints. |
|---|
| Quelle | ⚠️ https://www.controlid.com.br/relogio-de-ponto/rhid/ |
|---|
| Benutzer | Stux (UID 40142) |
|---|
| Einreichung | 25.04.2023 04:21 (vor 3 Jahren) |
|---|
| Moderieren | 04.05.2023 18:23 (10 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 228015 [Control iD RHiD 23.3.19.0 /v2/#/ erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|