If a user can be persuaded to log into this management interface, they can view another user’s leave details such as leave type, start/end date, etc.
An attacker can use this information to change leave types or manipulate the leave dates to obtain access to other user’s data.
In addition to this management interface, the Leave Management System v1.0 also had an access control issue where all users had full access. An attacker only needs to craft a valid reason for the change of leave type, and the system will grant the change.
Leave System Discovery
In 2017, for the first time, we discovered that a certain leave management system was included in an academic yearbook. The issue is not related to the system itself but rather how the system is implemented. If a user can be persuaded to log into this management interface, they can view another user’s leave details such as leave type, start/end date, etc. An attacker can use this information to change leave types or manipulate the leave dates to obtain access to other user’s data.
An attacker could also craft a valid reason for the change of leave type and submit it through this interface. With these two pieces of information, an attacker can easily gain access to other users’ data and subsequently compromise all their files on campus.
QNAP TS-EC12P Deployment Guide
QNAP TS-EC12P Deployment Guide is the official guide on how to deploy the QNAP TS-EC12P with various network configurations.
This guide provides information on basic deployment, such as: network configurations and management, storage, file services, data backup and restore.
It also covers advanced configuration including: VPNs, SANs, cloud integration and more.
CVE-2022-38526
If a user can be persuaded to log into the Leave Management System v1.0, they can view another user’s leave details such as leave type, start/end date, etc.
An attacker can use this information to change leave types or manipulate the leave dates to obtain access to other user’s data.
How to Bypass the Leave Management System v1.0 Access Control
As mentioned above, the Leave Management System v1.0 had an issue where all users had full access to this system. If you want to take advantage of this vulnerability and bypass the access control, you need to create a new account with the same username in addition to a valid reason for changing leave type.
If you are going to do this trick, make sure that the username provided is not already in use by another user in your organization. If it is, you will need to change the username before following these steps below.
Here is how to bypass the Leave Management System v1.0: First, go into "Leave Management" from your browser on a computer that has not been updated yet and change your location. After this is done simply create a new account with the same username as before and click on "Change Leave Type."
How to check if your organisation is affected?
Ensure that all users are not allowed to enter the Leave Management System (LMS) v1.0 interface.
While in the LMS, make sure you do not have permissions to view leave details of other users
Timeline
Published on: 09/12/2022 23:15:00 UTC
Last modified on: 09/15/2022 04:17:00 UTC