Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
This is similar to the Host header injection redirect vulnerability, except the issue lies in the Referer header and the vulnerable endpoints are different.
To Reproduce
Login to the OrangeHRM application
Navigate to "My Info"
Under "Add Attachment", click on "Add"
Turn on Intercept in Burp Suite (or any other web proxy)
Select any PNG file and Click on "Upload"
Change the value of the Referer header to example.com
Click on Forward in Burp and turn off Intercept
You will notice that the page gets redirected to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X
Expected behavior
A 404 error.
What do you see instead:
A 302 redirect to the malicious domain.
Screenshots
The text was updated successfully, but these errors were encountered:
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
This is similar to the Host header injection redirect vulnerability, except the issue lies in the Referer header and the vulnerable endpoints are different.
To Reproduce
Refererheader toexample.comhttp://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/XExpected behavior
A 404 error.
What do you see instead:
A 302 redirect to the malicious domain.
Screenshots

The text was updated successfully, but these errors were encountered: