ApplyYourself i-Class ApplicantDecesion.asp Result Disclosure

2005-03-09T22:40:21
ID OSVDB:14655
Type osvdb
Reporter brookbond()
Modified 2005-03-09T22:40:21

Description

Vulnerability Description

ApplyYourself i-Class contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user creates a specially crafted URL and submits it to ApplicantDecision.asp with a 7-digit ID code as the id parameter. The applicants ID code can be found in the HTML code of their admission application stored as a hidden variable. This will disclose the admission results of the applicant before it should be publicly available resulting in a loss of confidentiality.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, ApplyYourself has released a patch to address this vulnerability.

Short Description

ApplyYourself i-Class contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a malicious user creates a specially crafted URL and submits it to ApplicantDecision.asp with a 7-digit ID code as the id parameter. The applicants ID code can be found in the HTML code of their admission application stored as a hidden variable. This will disclose the admission results of the applicant before it should be publicly available resulting in a loss of confidentiality.

Manual Testing Notes

https://[target]/AyApplicantMain/ApplicantDecision.asp?AYID=[AYID value]&mode=decision&id=[id value]

References:

Vendor URL: http://applyyourself.com/products/products_iclass.asp Security Tracker: 1013400 CVE-2005-0747