Vulnerability Note VU#829574
HR Systems Strategies info:HR HRIS allows read access to weakly obfuscated shared database password
HR Systems Strategies info:HR HRIS 7.9 and possibly earlier versions allow read access to a weakly obfuscated database password. This password is shared by all clients within an info:HR site. A local attacker can decipher the password and gain complete control of the database and application, including access to sensitive personally identifiable information (PII).
info:HR is "...a robust, general-purpose Human Resources Information System (HRIS)" that runs on the Microsoft Windows platform and uses Microsoft SQL Server. info:HR stores database credentials in a registry key that allows read access to any local user. The database password is weakly obfuscated with a static key and can be easily deciphered.
A local attacker can read and decipher the SQL database password, granting the attacker complete control over the database. The attacker can also read and decipher info:HR application passwords to gain administrative privileges in the application. info:HR systems are likely to contain sensitive personally identifiable information (PII).
Apply an Update
Restrict access to the USERPW registry key
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|HR Systems Strategies Inc.||Affected||06 Sep 2013||16 Oct 2013|
CVSS Metrics (Learn More)
Thanks to Chris Mayhew from Run Straight Consulting Ltd for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-5208
- Date Public: 14 Oct 2013
- Date First Published: 15 Oct 2013
- Date Last Updated: 16 Oct 2013
- Document Revision: 42
If you have feedback, comments, or additional information about this vulnerability, please send us email.