Vulnerability Report 1. Affected software OrangeHRM 2.5.0.4 Prior versions may also be affected. "OrangeHRM is an Open Source HRM system. It provides an ideal solution for small and medium sized enterprises looking for an inexpensive way to effectively manage and develop their human resources." Product link: http://www.orangehrm.com/ 2. Vulnerability Information Class: Cross site scripting, SQL injection, PHP code injection, Cross-site request forgery Impact: Session hijacking, unauthorized data access, privilege escalation, user-assisted arbitrary command execution Rating: Less critical Remotely Exploitable: Yes Locally Exploitable: No 3. Description of Vulnerability 3.1.1. Stored XSS in ESS (Employee Self-Service) In ESS module, user inputs are not sanitized properly, leading to XSS vulnerability. Exploiting this vulnerability would allow a malicious ESS user to gain administrative privileges. 3.1.2. Stored XSS in the public-accessible jobs.php module In the recruitment module, user inputs are not sanitized properly, leading to XSS vulnerability. Exploiting this vulnerability would allow an unauthenticated attacker to gain user or administrator privileges. 3.1.3. Reflected XSS Some of the AJAX responses are not sanitized, leading to reflected XSS vulnerability. 3.1.4. SQL injection There are several places in the software where authenticated ESS users can perform SQL injection attacks. Successful exploitation of this vulnerability can lead to unauthorized access to sensitive data, or arbitrary code execution. 3.1.5. CSRF and PHP code injection There are no security measures implemented in the software against CSRF attacks. If a remote attacker can trick an administrator to visit a malicious site, the attacker can perform privileged operations, or exploit PHP code injection vulnerability that can be found in the mail administration module. Successful exploitation of these vulnerabilities can lead to arbitrary code execution. 3.1.6. Authorization vulnerabilities The Timesheet, Attendance, HSP, Recruitment, and Leave modules contains bugs in the authorization code, that may make possible to authenticated ESS users to access sensitive information, or perform privileged operations. 4. Solution We are not aware of any official fixes. 5. Workaround Workarounds for some of these vulnerabilities can be implemented through a Web Application Firewall, for example ModSecurity™ with the Core Rule Set (CRS). When using ModSecurity™: make sure you have enabled XSS and SQL injection protection rules, and SecRequestBodyAccess is set (it is off by default). CSRF protection can be implemented as described here: http://knol.google.com/k/preventing-cross-site-request-forgeries-csrf-usingmodsecurity . One should consider revoking write access on lib/confs/mailConf.php from the apache user (after doing so, OrangeHRM mail configurations can not be modified from admin menu). The session encryption features of suhosin PHP extension can make session hijacking attacks harder as well. 6. Timeline 06/04/2010 – Vulnerabilities discovered 09/04/2010 – First attempt to contact vendor 19/04/2010 – Second attempt to contact vendor 10/05/2010 – Public disclosure 7. Credits These vulnerabilities were discovered by Tamás Czigány and Laszlo Klock. 8. About us SecurityAngel is the vulnerability research lab of kancellar.hu. kancellar.hu is Hungary’s market leading information security private limited company. The company offers full scope information security services to its customers, performs audits, delivers end-to-end security systems, tools, and solutions. Since its foundation in 2002, its revenues have increased by more than tenfold. According to the survey conducted by Deloitte, kancellar.hu was one of the 50 most dynamically developing Central European companies for two years in a row in 2008 and 2009, and one of the 500 most quickly growing companies in the EMEA region. 9. Legal notices Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. The product names used in this document are for identification purposes only. All trademarks and registered trademarks are the property of their respective owners.