This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter key.
The input to key GET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.
The payload passed fm gets sanitized by PHP code. This could be bypassed by adding an extra GET param content with the value HTML. Thus backend will not sanitize any user input.
This vulnerability is capable of script execution on the victim's browser.
It's possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
The text was updated successfully, but these errors were encountered:
cooliscool
changed the title
Reflected XSS vulnerabilities #2 in icehrm
Reflected XSS vulnerabilities in login.php -- can be used to leak passwords
Dec 24, 2021
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter
key.The input to
keyGET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.Proof of Concept
Occurrence 1 : Request param
keyRequest:
Follow the link : https://icehrmpro.gamonoid.com/login.php?key=%27;alert(document.cookie)// to test this vulnerability on the live demo version of the website.
Occurence 2 : Request param
fmThe payload passed
fmgets sanitized by PHP code. This could be bypassed by adding an extra GET paramcontentwith the valueHTML. Thus backend will not sanitize any user input.Follow the link : https://icehrmpro.gamonoid.com/login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML to test this vulnerability on the live demo version of the website.
Impact
This vulnerability is capable of script execution on the victim's browser.
It's possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
References
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
Occurrences
HTML sanitization can be bypassed with an extra
content=HTMLGET paramhttps://github.com/gamonoid/icehrm/blob/master/core/login.php#L357-L361
icehrm/core/login.php
Lines 213 to 219 in f44b9ec
The text was updated successfully, but these errors were encountered: