Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23771
HistoryMay 11, 2010 - 12:00 a.m.

SA00001-2010

2010-05-1100:00:00
vulners.com
34

Vulnerability Report

  1. Affected software
    OrangeHRM 2.5.0.4
    Prior versions may also be affected.
    "OrangeHRM is an Open Source HRM system. It provides an ideal solution
    for small and medium sized enterprises looking for an inexpensive way to
    effectively manage and develop their human resources."
    Product link: http://www.orangehrm.com/

  2. Vulnerability Information
    Class: Cross site scripting, SQL injection, PHP code injection, Cross-site
    request forgery
    Impact: Session hijacking, unauthorized data access, privilege escalation,
    user-assisted arbitrary command execution
    Rating: Less critical
    Remotely Exploitable: Yes
    Locally Exploitable: No

  3. Description of Vulnerability
    3.1.1. Stored XSS in ESS (Employee Self-Service)
    In ESS module, user inputs are not sanitized properly, leading to XSS
    vulnerability.
    Exploiting this vulnerability would allow a malicious ESS user to gain
    administrative privileges.

3.1.2. Stored XSS in the public-accessible jobs.php
module
In the recruitment module, user inputs are not sanitized properly,
leading to
XSS vulnerability.
Exploiting this vulnerability would allow an unauthenticated attacker to
gain
user or administrator privileges.

3.1.3. Reflected XSS
Some of the AJAX responses are not sanitized, leading to reflected XSS
vulnerability.

3.1.4. SQL injection
There are several places in the software where authenticated ESS users
can perform SQL injection attacks.
Successful exploitation of this vulnerability can lead to unauthorized
access
to sensitive data, or arbitrary code execution.

3.1.5. CSRF and PHP code injection
There are no security measures implemented in the software against CSRF
attacks. If a remote attacker can trick an administrator to visit a
malicious
site, the attacker can perform privileged operations, or exploit PHP code
injection vulnerability that can be found in the mail administration module.
Successful exploitation of these vulnerabilities can lead to arbitrary code
execution.

3.1.6. Authorization vulnerabilities
The Timesheet, Attendance, HSP, Recruitment, and Leave modules
contains bugs in the authorization code, that may make possible to
authenticated ESS users to access sensitive information, or perform
privileged operations.

  1. Solution
    We are not aware of any official fixes.

  2. Workaround
    Workarounds for some of these vulnerabilities can be implemented through
    a Web Application Firewall, for example ModSecurity™ with the Core Rule
    Set (CRS).
    When using ModSecurity™: make sure you have enabled XSS and SQL
    injection protection rules, and SecRequestBodyAccess is set (it is off by
    default). CSRF protection can be implemented as described here:
    http://knol.google.com/k/preventing-cross-site-request-forgeries-csrf-usingmodsecurity
    .
    One should consider revoking write access on lib/confs/mailConf.php from
    the apache user (after doing so, OrangeHRM mail configurations can not be
    modified from admin menu).
    The session encryption features of suhosin PHP extension can make
    session hijacking attacks harder as well.

  3. Timeline
    06/04/2010 – Vulnerabilities discovered
    09/04/2010 – First attempt to contact vendor
    19/04/2010 – Second attempt to contact vendor
    10/05/2010 – Public disclosure

  4. Credits
    These vulnerabilities were discovered by Tamбs Czigбny and Laszlo Klock.

  5. About us
    SecurityAngel is the vulnerability research lab of kancellar.hu.
    kancellar.hu is Hungary’s market leading information security private
    limited company. The company offers full scope information security
    services to its customers, performs audits, delivers end-to-end security
    systems, tools, and solutions. Since its foundation in 2002, its revenues
    have increased by more than tenfold. According to the survey conducted by
    Deloitte, kancellar.hu was one of the 50 most dynamically developing
    Central European companies for two years in a row in 2008 and 2009, and
    one of the 500 most quickly growing companies in the EMEA region.

  6. Legal notices
    Disclaimer: The information in the advisory is believed to be accurate
    at the
    time of publishing based on currently available information. Use of the
    information constitutes acceptance for use in an AS IS condition. There
    are no warranties with regard to this information. Neither the author
    nor the
    publisher accepts any liability for any direct, indirect, or
    consequential loss
    or damage arising from use of, or reliance on, this information.
    The product names used in this document are for identification purposes
    only. All trademarks and registered trademarks are the property of their
    respective owners.