Jobvite, a recruiting platform for the social web, is found
vulnerable to the most common, but critical web application
vulnerabilities that could allow an attacker to compromise and steal the
database of the company.
Jobvite is a Social recruiting and applicant tracking created for
companies with the highest expectations of recruiting technology and
candidate quality. Growing companies use Jobvite's social recruiting,
sourcing and talent acquisition solutions to target the right talent and
build the best teams.
An independent security researcher Mohamed M. Fouad from Egypt, has found two major flaws in Jobvite website that
could be leveraged or used by an attacker to comprise the company’s
server. As a responsible security researcher, Fouad reported the
critical flaws three months ago, but the company didn’t fix till now.
According to Fouad, Jobvite is vulnerable to a Boolean SQLi (SQL
injection) and LFI (local file inclusion) vulnerabilities, which he
found was one of the best security vulnerabilities he has ever
discovered.
SQL INJECTION VULNERABILITY
SQLi or SQL injection is one of the many web attack mechanisms used by
hackers to steal data from organizations. It is perhaps one of the most
common application layer attack techniques used today. The attackers
take advantage of improper coding of your web applications that allows
them to inject SQL commands into, say, a login form to allow them to
gain access to the data held within your database.
LFI VULNERABILITY
LFI or Local File Inclusion is a type of vulnerability most often found
on websites that allows an attacker to include a local file, usually
through a script on the web server, which occurs due to the use of
user-supplied input without proper validation. This can lead to code
execution on the web server or on the client-side such as JavaScript
which can lead to other attacks such as cross site scripting (XSS),
Denial of service (DoS) and Data theft or manipulation.
Mohamed told The Hacker News that SQLI Vuln
in the Jobvite website allows him to gain access to the company’s
database which includes the confidential data of its admin users along
with the emails and passwords.
Using LFI Vuln an attacker can get access to the critically important files stored on the web server i.e. /etc/passwd or /etc/hosts. Fouad used the LFI flaw which allowed him to view all the company’s LINUX server user accounts exists.
Source : thehackernews.com
0 komentar:
Post a Comment