We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Contact Us Contact Us Contact Us
Contact Us Contact Us Contact Us

CVE-2018-18863 ResourceLink Local File Inclusion

In a recent penetration test ResourceLink version 20.0.2.1 was found to be vulnerable to local file inclusion (LFI). ResourceLink is a payroll web application that allows HR departments to manage payments and employees’ bank account details.

LFI allows an attacker to include the contents of another file hosted on the web server, within a web page. Only files to which the web service has read access can be included.

The vulnerability exists in the “logfiledownload” parameter which is part of the ResourceLink support section included within the ResourceLink application. The support section was accessible with default and weak credentials (support/support). The vulnerable parameter allows an authenticated user to view logs of the web application. However, an attacker can abuse this functionality to read files on the server, such as “C:\Windows\win.ini”, as shown below.

https://[redacted]/support/logfiledownload?file=..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini&download=false

An attacker can exploit this vulnerability to read files containing sensitive information stored on the server, such as clear text credentials or session cookies. The following example shows it was possible to retrieve JSESSIONIDs, URL session IDs, and clear-text passwords from a log file:

https://[redacted]/support/logfiledownload?file=..\..\logs\server.log&download=false

Furthermore, an attacker can abuse this vulnerability to read the SQL connection string, which contains the credentials that ResourceLink web application uses to connect to the Oracle database:

https://[redacted]/support/logfiledownload?file=..\..\config\domain.xml&download=false

As result, this would allow an attacker to access data stored in the Oracle database such as bank account details:

Vulnerability Disclosure Timeline

08/08/2018: Initial contact to the vendor using the contact form on the vendor’s website.
08/08/2018: Software developer director contact details were found on vendor’ website and was contacted directly.
03/09/2018: No response was received and a last call email was sent to the vendor.
11/09/2018: The vendor replied asking for further details.
21/09/2018: Established a telephone call with the vendor who confirmed the vulnerability.
30/10/2018: The vendor confirmed that vulnerability is now fixed in release 20.
08/11/2018: CVE-2018-18863 vulnerability was disclosed.

Find out how we can help with your cyber challenge

Please enter your contact details using the form below for a free, no obligation, quote and we will get back to you as soon as possible. Alternatively, you can email us directly at busdev@www.dionach.com
Contact Us

Contact Us Reach out to one of our cyber experts and we will arrange a call