CVE-2022-34002 Personnel Data Systems (PDS) Vista 7 - Local File Inclusion
Summary
| Name | Personnel Data Systems (PDS) Vista 7 - Local File Inclusion |
| Product | PDS Vista 7 |
| Affected Versions | <7.1.7.2 – External Applicants Security Hotfix – XA Clients Only |
| State | Public |
| Release Date | 2022/08/08 |
Vulnerability
| Type | Local File Inclusion |
| Rule | CWE-22 - Improper Limitation of a Pathname to a Restricted Directory https://cwe.mitre.org/data/definitions/22.html |
| Remote? | Yes |
| Authentication Required? | Yes |
| CVSS v3 Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| CVSS v3 Base Score | 7.7 |
| Exploit Available? | No, but manually exploitable |
| CVE ID(s) | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34002 |
Description
The ‘document’ parameter of PDS Vista 7’s /application/documents/display.aspx page is vulnerable to a Local File Inclusion vulnerability which allows an low-privileged authenticated attacker to leak the configuration files and source code of the web application.
Proof-of-Concept
The implementation of PDS Vista 7 may vary by organization so the following proof-of-concept may not follow the same flow as other client implementations. The situation in which Assura discovered this vulnerability, the client had implemented PDS Vista 7 to accept applications for job positions. This required the creation of an account by a job application which exposed the vulnerable function.
- Proxy a browser in Burp Suite or another web browser proxying tool.
- Log into the system that implements PDS Vista 7 prior to the application of the patch ‘7.1.7.2 – External Applicants Security Hotfix – XA Clients Only’.
- Navigate to the /application/documents/display.aspx?document= page.
- At this point, the page should return a 200 OK code but the page itself will be blank in the web browser.
- Add the value ‘/web.config’ to the document parameter and request the page again. See that this time we receive a response with encrypted content. This is where the vulnerability gets interesting.
- In Burp Suite, find the request/response pair for the /application/documents/display.aspx?document=/web.config request.
- In the response body, search for the string ‘padDiv’. Within the ‘padDiv’ section of the response body, we can see the unencrypted contents of the file requested.
- This vulnerability can be used to retrieve any file contents within the root or sub-directories of the web application but not system level or above-root level files.
Exploit
There is no pre-packaged exploit for this vulnerability at this time although it can be easily exploited manually as shown in the Proof-of-Concept section above.
Mitigation
Customers should apply the following patch - ‘7.1.7.2 – External Applicants Security Hotfix – XA Clients Only’
Credits
This vulnerability was discovered by Nick Berrie (https://www.linkedin.com/in/nick-berrie/), Technical Director of Assura’s Offensive Security Operations department at Assura, Inc.
References
| Vendor Page | https://www.pdssoftware.com/Solutions/VistaOverview.asp |
| CVE Description | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34002 |
Timeline
- 2022-04-27: Vulnerability discovered
- 2022-04-27: Vendor contacted
- 2022-06-19: CVE #s issued by MITRE
- 2022-04-29: Vendor confirmed patch
- 2022-08-08: Public disclosure