| タイトル | Control iD RH iD v23.3.19.0 - Broken Access Control allows a low-privilege user access to high-privilege functions |
|---|
| 説明 | PoC:
1 - We will log in with a low privilege account, that is, an employee
Low privilege (employee) account for validation:
Login: [email protected]
Password: 123456
(This account has a single function, which is to "Catch a Time" for when the employee starts the work day.)
https://rhid.com.br/
2 - With an administrator account, I enumerated the paths that only high-privilege users can access, and then tested those paths with the employee account, the low-privilege one.
In the employee account, when trying to inject these paths, we were able to successfully access!
Some of the paths:
/v2/#/list/device (We managed to delete the registered devices (danger!))
/v2/#/configuracoes (We were able to add information on behalf of other users.)
/v2/#/list_signature (Subscription Requests)
/v2/#/export_folha (Export Payroll (critical action!))
/v2/#/atestado_tecnico (Request a medical certificate)
/v2/#/device_monitor (iDCloud Monitoring)
Having access to various functions and information in which only administrator users have.
In short, you will basically log in with the account and access these endpoints. |
|---|
| ソース | ⚠️ https://www.controlid.com.br/relogio-de-ponto/rhid/ |
|---|
| ユーザー | Stux (UID 40142) |
|---|
| 送信 | 2023年04月25日 04:21 (3 年 ago) |
|---|
| モデレーション | 2023年05月04日 18:23 (10 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 228015 [Control iD RHiD 23.3.19.0 /v2/#/ 特権昇格] |
|---|
| ポイント | 20 |
|---|