Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet allows any user to create a timesheet in another user's account
#1173
Closed
zerodaywolf opened this issue
Mar 10, 2022
· 1 comment
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
A user can create a timesheet for a specific week by using the "Add Timesheet" functionality, after which the timesheet is accessible for editing and submission under the dropdown menu.
It was observed that when the employeeId parameter was set to any valid user's employee ID, a timesheet was created in that employee's account. The application verifies if a user has a valid session, but does not verify if a user is authorised to create a timesheet for a different employeeId. It is also possible to find out whether a timesheet has already been created for a specific week, by analysing the HTTP response.
To Reproduce
Login to the OrangeHRM application as user A with employeeId as 2
Navigate to "Dashboard" > "My Timesheet"
Click on "Add Timesheet"
Turn on Intercept in Burp Suite (or any other web proxy)
Click on the textbox and select any date, say 1900-03-02
Click on "Ok"
Go to the Burp Intercept tab and you will notice a GET request being made to the /symfony/web/index.php/time/createTimesheet endpoint
Modify the value of employeeId parameter to a user B's employeeId, 4
Click on Forward and turn off Intercept
Login to user B's account
Navigate to "Dashboard" > "My Timesheet"
Click on the dropdown menu beside "Timesheet for Week"
Notice that a new entry has been created with the date 1900-03-02
Expected behavior
"Credentials required" error.
What do you see instead:
The response body contains the date of the entry (1900-02-26).
Screenshots
The text was updated successfully, but these errors were encountered:
zerodaywolf
changed the title
Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet allows any user can create a timesheet in another user's account
Insecure Direct Object Reference (IDOR) via the end point symfony/web/index.php/time/createTimesheet allows any user to create a timesheet in another user's account
Mar 10, 2022
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
A user can create a timesheet for a specific week by using the "Add Timesheet" functionality, after which the timesheet is accessible for editing and submission under the dropdown menu.
It was observed that when the
employeeIdparameter was set to any valid user's employee ID, a timesheet was created in that employee's account. The application verifies if a user has a valid session, but does not verify if a user is authorised to create a timesheet for a differentemployeeId. It is also possible to find out whether a timesheet has already been created for a specific week, by analysing the HTTP response.To Reproduce
employeeIdas2/symfony/web/index.php/time/createTimesheetendpointemployeeIdparameter to a user B'semployeeId,4Expected behavior
"Credentials required" error.
What do you see instead:
The response body contains the date of the entry (1900-02-26).
Screenshots


The text was updated successfully, but these errors were encountered: