Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Referer header injection redirect vulnerability #1174

Closed
zerodaywolf opened this issue Mar 10, 2022 · 1 comment
Closed

Referer header injection redirect vulnerability #1174

zerodaywolf opened this issue Mar 10, 2022 · 1 comment

Comments

@zerodaywolf
Copy link

Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52

If applicable:
Browser: Firefox

Describe the bug
This is similar to the Host header injection redirect vulnerability, except the issue lies in the Referer header and the vulnerable endpoints are different.

To Reproduce

  1. Login to the OrangeHRM application
  2. Navigate to "My Info"
  3. Under "Add Attachment", click on "Add"
  4. Turn on Intercept in Burp Suite (or any other web proxy)
  5. Select any PNG file and Click on "Upload"
  6. Change the value of the Referer header to example.com
  7. Click on Forward in Burp and turn off Intercept
  8. You will notice that the page gets redirected to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X

Expected behavior
A 404 error.

What do you see instead:
A 302 redirect to the malicious domain.

Screenshots
image

@samanthajayasinghe
Copy link
Member

Hi @vulf
It's recommended to deploy the application with the valid hostname

eg: nginx 
server {
    listen 80 default_server;
    server_name mydomain.com;
   ...
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants