Attached files under salaries module can be harvested by unauthenticated users in francoisjacquet/rosariosis
Reported on
Apr 5th 2023
Description
File attachment under salaries module can be downloaded and viewed by anyone without authentication by just knowing the full path (/assets/FileUploads/2022/staff_2/*) and the predictable filename (contains date (YYYY-MM-DD) and a random 6 digit number which can be easily enumerated by automated tool using list of all possible 6 digit combinations). File attachment under salaries module may contain confidential salary information and other sensitive data of the intended owner.
Example: http://X.X.X.X/assets/FileUploads/2022/staff_2/payslip_2023-04-05_021223.jpg
Replication
- Send the above endpoint to burp intruder.
- Position the payload to the last 6 digit number, example: GET /rosariosis/assets/FileUploads/2022/staff_2/payslip_2023-04-05_§021223§.jpg
- Add your payload list containing all possible 6 digit combinations.
- Start the attack and all requests that returns 200 status can be harvest. Note: you can also configure to add the filename date (YYYY-MM-DD) for enumeration.
Impact
The impact of this vulnerability is significant as it can lead to the disclosure of confidential information, which can have serious consequences for the organization. The attached file is associated to the salaries thus it may contain confidential data that may be exposed includes employee salaries, personal information, and other sensitive information. This information can be used by attackers for identity theft, financial fraud, or other malicious purposes.
Follow up notes:
Renaming the uploaded files by the application helps prevent malicious users from guessing or enumerating the names of the uploaded files, which can make it more difficult for attackers to perform certain type of attacks that can potentially harvest the uploaded files. However, the appended strings to the uploaded files under the Rosariosis Salaries module are not complicated enough to prevent malicious actors from guessing all valid last six digits in just a few minutes . I wrote a simple python code for this one using request module
base_url = "http://rosariosis-example-domain.com/assets/FileUploads/2022/staff_2/payslip_2023-04-05_"
for i in range(1000000):
code = str(i).zfill(6)
url = base_url + code + ".jpg"
# Send a GET request to the URL and prints if the status code is 200
response = requests.get(url)
if response.status_code == 200:
print(url)
Hello @b1tch3s
Thank you for your report. FYI, the 6 numbers at the end are not random, it's the time: HHMMSS.
This has already been reported various times (although not for the Salaries specifically).
But please, tell me how do you predict the "payslip" part? And the ".jpg" part? AFAIK, "payslip.jpg" is the file you have uploaded. It could have been named anything, and its extension could have been ".pdf" instead.
Hi @Jacquet
Thanks for your time reviewing my report. In my experience, companies especially the well-organized ones, they rarely name files in random. If they attached payslips in pdf, they usually follow their standard naming convention which is a best practice to make it easier to organise files and avoid mistakes in uploading files . For example, 21-001_payslip.pdf (<employee ID no.>_payslip.pdf) . If I am one of the employee, I will be able to immediately know the naming format and abuse it to download and view the salary attachment of other employees - which means that the threat population reduces to employees users only as they are the only ones who are familiar with the convention.
Let me know if you need more information from me.
Thanks !
Hello @b1tch3s
I agree, if I am an employee, it will give me clear hints to predict other users' files.
Would adding microseconds (6 digits) to the filename be enough in your opinion?
Hi @François,
Adding microseconds (6 digits) to the filename surely improves the security but it may not be long and complex enough to prevent the attacker to guess the added strings using automated enumeration attack. In addition to length, I recommend to use a cryptographic hash function to generate a unique, random value as opposed to microseconds, which are merely numbers.
Nonetheless, above control is for your risk assessment if it is enough to mitigate the risk. Another effective mitigating control is to create an authenticated back-end service that retrieves the uploaded files in the system. This way, you don't need to reveal the full path where the files are stored which prevents users to directly download the files without authentication. Ensure that proper access control and principle checks are implemented so it won't introduce IDOR vulnerability.
Let me know if you need more information from me.
Thanks !
Hello @b1tch3s
Thank you for your answer.
OK, let's do some math: There are 246060 = 86400 seconds per day. Let's say an attacker can narrow the scope to (predict) an hour, 16060 = 3600 seconds.
Now, let's add microseconds. That means, for every second, 6 digits, or 999999 possible values. The total is 999999*3600 = 3,599,996,400
This article https://www.artificialworlds.net/blog/2017/06/12/making-100-million-requests-with-python-aiohttp/ mentions ~665 requests per seconds(!)
So this would take, in the best scenario, 3599996400 / 665 = 5413528 seconds, or about 62 days. Is this correct?
Hello @François,
It appears that you had a point. If we consider the implementation of milliseconds as compensating control in our threat vulnerability and risk assessment (TVRA), and provided that our threat population revolves around employees only, residual risk will be drastically reduced to low.
let me know once you're done applying fix for this one.
Thanks !
Hello @François,
Good evening, I'm just wondering if you have updates on this report already.
Let me know if you need any assistance from me.
Thanks !
Hello @b1tch3s
The fix will be included in version 11.0. I plan on adding a new function to make it easier to respect the "secure" file name pattern, not just for Salaries but everywhere needed. I will close your report with the proper commit once it is all set.
Thank you.
Hello @François,
Sounds great ! Would you mind assigning CVE to this ?
Million thanks @François