Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
In order to share a video, a user provides the URL in the "Share Video" feature under "Buzz". A GET request is then sent to the /symfony/web/index.php/buzz/addNewVideo endpoint with the url as a parameter. The application's backend then validates the url against a whitelist of domains and sends an appropriate response. If the domain in the url is in the whitelist, the application creates an iframe element and embeds the video link in it. The user then submits the post by clicking the "Save Video" button.
The "OrangeBuzz" page, including the newly posted video, is sent back in the response body. The initial whitelist based validation can be bypassed by sending a request, like the above, containing any arbitrary URL in the createVideo%5BlinkAddress%5D parameter. The value of this parameter is injected into the iframe's src attribute. Due to this, it is possible to inject the javascript: pseudo-protocol and gain arbitrary JavaScript execution in the browser of anyone who visits the "OrangeBuzz" page. For example, the string javascript:alert(document.domain) can be passed as the value of the createVideo%5BlinkAddress%5D parameter. When a user visits the OrangeBuzz page, the payload will be interpreted as JavaScript and get executed so an alert will pop-up with the domain hosting the application at that instance.
To Reproduce
Login to the OrangeHRM application
Navigate to "Buzz" > "Share Video"
Paste any youtube.com video link
Turn on Intercept in Burp Suite (or any other web proxy)
Click on "Save video"
Replace the value in the POST parameter createVideo%5BlinkAddress%5D to javascript:alert(document.domain) and click on "Forward" in Burp
Turn off Intercept in Burp
Navigate to "Buzz"
Notice that an alert will pop-up with the Domain value of the application's server printed which means the payload we injected into the createVideo%5BlinkAddress%5D parameter is interpreted as valid Javascript and is executed.
Expected behavior
The value of the createVideo%5BlinkAddress%5D parameter is validated by the application's backend and an error is thrown.
What do you see instead:
The post gets uploaded successfully.
Screenshots
The text was updated successfully, but these errors were encountered:
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
In order to share a video, a user provides the URL in the "Share Video" feature under "Buzz". A GET request is then sent to the /symfony/web/index.php/buzz/addNewVideo endpoint with the url as a parameter. The application's backend then validates the url against a whitelist of domains and sends an appropriate response. If the domain in the url is in the whitelist, the application creates an iframe element and embeds the video link in it. The user then submits the post by clicking the "Save Video" button.
The "OrangeBuzz" page, including the newly posted video, is sent back in the response body. The initial whitelist based validation can be bypassed by sending a request, like the above, containing any arbitrary URL in the createVideo%5BlinkAddress%5D parameter. The value of this parameter is injected into the iframe's src attribute. Due to this, it is possible to inject the javascript: pseudo-protocol and gain arbitrary JavaScript execution in the browser of anyone who visits the "OrangeBuzz" page. For example, the string javascript:alert(document.domain) can be passed as the value of the createVideo%5BlinkAddress%5D parameter. When a user visits the OrangeBuzz page, the payload will be interpreted as JavaScript and get executed so an alert will pop-up with the domain hosting the application at that instance.
To Reproduce
createVideo%5BlinkAddress%5Dtojavascript:alert(document.domain)and click on "Forward" in BurpcreateVideo%5BlinkAddress%5Dparameter is interpreted as valid Javascript and is executed.Expected behavior
The value of the
createVideo%5BlinkAddress%5Dparameter is validated by the application's backend and an error is thrown.What do you see instead:
The post gets uploaded successfully.
Screenshots


The text was updated successfully, but these errors were encountered: