Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
When an authenticated user submits the "Personal Details" form, a 302 redirect to the "Personal Details" URL is sent in the response. Following is a request and its response—
HTTP/1.1 302 Found
Date: Wed, 09 Mar 2022 05:49:01 GMT
Server: Apache/2.4.29 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://localhost/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2
Content-Length: 148
Connection: close
Content-Type: text/html; charset=utf-8
It was noticed that upon manipulating the Host header, in the POST request, to an arbitrary domain, it was possible to inject the Host header into the URL redirection in the 302 response. A user would then be redirected to the arbitrary domain. For example, the domain "example.com" can be passed as the value of the Host header in the POST request. The resulting 302 response redirects the user to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2. Due to the nature of this vulnerability, it can be used in phishing attacks.
Following are the endpoints in the OrangeHRM application that are vulnerable to the Host Header Injection Redirect vulnerability:
/symfony/web/index.php/pim/viewPersonalDetails
/symfony/web/index.php/auth/validateCredentials
To Reproduce
Login to the OrangeHRM application
Navigate to "My Info"
Under "Personal Details", click on "Edit"
Turn on Intercept in Burp Suite (or any other web proxy)
Click on "Save"
Change the value of the Host header to attacker.com
Click on Forward in Burp and turn off Intercept
You will notice that the page gets redirected to http://attacker.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/X
Expected behavior
A 404 error.
What do you see instead:
A 302 redirect to the malicious domain.
Screenshots
The text was updated successfully, but these errors were encountered:
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
When an authenticated user submits the "Personal Details" form, a 302 redirect to the "Personal Details" URL is sent in the response. Following is a request and its response—
Response:
It was noticed that upon manipulating the Host header, in the POST request, to an arbitrary domain, it was possible to inject the Host header into the URL redirection in the 302 response. A user would then be redirected to the arbitrary domain. For example, the domain "example.com" can be passed as the value of the Host header in the POST request. The resulting 302 response redirects the user to http://example.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/2. Due to the nature of this vulnerability, it can be used in phishing attacks.
Following are the endpoints in the OrangeHRM application that are vulnerable to the Host Header Injection Redirect vulnerability:
To Reproduce
Hostheader toattacker.comhttp://attacker.com/symfony/web/index.php/pim/viewPersonalDetails/empNumber/XExpected behavior
A 404 error.
What do you see instead:
A 302 redirect to the malicious domain.
Screenshots


The text was updated successfully, but these errors were encountered: