| Title | Control iD RH iD v23.3.19.0 - Broken Access Control allows a low-privilege user access to high-privilege functions |
|---|
| Description | PoC:
1 - We will log in with a low privilege account, that is, an employee
Low privilege (employee) account for validation:
Login: [email protected]
Password: 123456
(This account has a single function, which is to "Catch a Time" for when the employee starts the work day.)
https://rhid.com.br/
2 - With an administrator account, I enumerated the paths that only high-privilege users can access, and then tested those paths with the employee account, the low-privilege one.
In the employee account, when trying to inject these paths, we were able to successfully access!
Some of the paths:
/v2/#/list/device (We managed to delete the registered devices (danger!))
/v2/#/configuracoes (We were able to add information on behalf of other users.)
/v2/#/list_signature (Subscription Requests)
/v2/#/export_folha (Export Payroll (critical action!))
/v2/#/atestado_tecnico (Request a medical certificate)
/v2/#/device_monitor (iDCloud Monitoring)
Having access to various functions and information in which only administrator users have.
In short, you will basically log in with the account and access these endpoints. |
|---|
| Source | ⚠️ https://www.controlid.com.br/relogio-de-ponto/rhid/ |
|---|
| User | Stux (UID 40142) |
|---|
| Submission | 04/25/2023 04:21 (3 years ago) |
|---|
| Moderation | 05/04/2023 18:23 (10 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 228015 [Control iD RHiD 23.3.19.0 /v2/#/ direct request] |
|---|
| Points | 20 |
|---|