lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 May 2010 14:37:26 +0200
From: Zakar Miklós <>
Subject: SA00001-2010

Vulnerability Report

1. Affected software
Prior versions may also be affected.
"OrangeHRM is an Open Source HRM system. It provides an ideal solution
for small and medium sized enterprises looking for an inexpensive way to
effectively manage and develop their human resources."
Product link:

2. Vulnerability Information
Class: Cross site scripting, SQL injection, PHP code injection, Cross-site
request forgery
Impact: Session hijacking, unauthorized data access, privilege escalation,
user-assisted arbitrary command execution
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No

3. Description of Vulnerability
3.1.1. Stored XSS in ESS (Employee Self-Service)
In ESS module, user inputs are not sanitized properly, leading to XSS
Exploiting this vulnerability would allow a malicious ESS user to gain
administrative privileges.

3.1.2. Stored XSS in the public-accessible jobs.php
In the recruitment module, user inputs are not sanitized properly, 
leading to
XSS vulnerability.
Exploiting this vulnerability would allow an unauthenticated attacker to 
user or administrator privileges.

3.1.3. Reflected XSS
Some of the AJAX responses are not sanitized, leading to reflected XSS

3.1.4. SQL injection
There are several places in the software where authenticated ESS users
can perform SQL injection attacks.
Successful exploitation of this vulnerability can lead to unauthorized 
to sensitive data, or arbitrary code execution.

3.1.5. CSRF and PHP code injection
There are no security measures implemented in the software against CSRF
attacks. If a remote attacker can trick an administrator to visit a 
site, the attacker can perform privileged operations, or exploit PHP code
injection vulnerability that can be found in the mail administration module.
Successful exploitation of these vulnerabilities can lead to arbitrary code

3.1.6. Authorization vulnerabilities
The Timesheet, Attendance, HSP, Recruitment, and Leave modules
contains bugs in the authorization code, that may make possible to
authenticated ESS users to access sensitive information, or perform
privileged operations.

4. Solution
We are not aware of any official fixes.

5. Workaround
Workarounds for some of these vulnerabilities can be implemented through
a Web Application Firewall, for example ModSecurity™ with the Core Rule
Set (CRS).
When using ModSecurity™: make sure you have enabled XSS and SQL
injection protection rules, and SecRequestBodyAccess is set (it is off by
default). CSRF protection can be implemented as described here:
One should consider revoking write access on lib/confs/mailConf.php from
the apache user (after doing so, OrangeHRM mail configurations can not be
modified from admin menu).
The session encryption features of suhosin PHP extension can make
session hijacking attacks harder as well.

6. Timeline
06/04/2010 – Vulnerabilities discovered
09/04/2010 – First attempt to contact vendor
19/04/2010 – Second attempt to contact vendor
10/05/2010 – Public disclosure

7. Credits
These vulnerabilities were discovered by Tamás Czigány and Laszlo Klock.

8. About us
SecurityAngel is the vulnerability research lab of is Hungary’s market leading information security private
limited company. The company offers full scope information security
services to its customers, performs audits, delivers end-to-end security
systems, tools, and solutions. Since its foundation in 2002, its revenues
have increased by more than tenfold. According to the survey conducted by
Deloitte, was one of the 50 most dynamically developing
Central European companies for two years in a row in 2008 and 2009, and
one of the 500 most quickly growing companies in the EMEA region.

9. Legal notices
Disclaimer: The information in the advisory is believed to be accurate 
at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author 
nor the
publisher accepts any liability for any direct, indirect, or 
consequential loss
or damage arising from use of, or reliance on, this information.
The product names used in this document are for identification purposes
only. All trademarks and registered trademarks are the property of their
respective owners.

Powered by blists - more mailing lists