Vulnerability Report

1. Affected software
OrangeHRM 2.5.0.4
Prior versions may also be affected.
"OrangeHRM is an Open Source HRM system. It provides an ideal solution
for small and medium sized enterprises looking for an inexpensive way to
effectively manage and develop their human resources."
Product link: http://www.orangehrm.com/

2. Vulnerability Information
Class: Cross site scripting, SQL injection, PHP code injection, Cross-site
request forgery
Impact: Session hijacking, unauthorized data access, privilege escalation,
user-assisted arbitrary command execution
Rating: Less critical
Remotely Exploitable: Yes
Locally Exploitable: No


3. Description of Vulnerability
3.1.1. Stored XSS in ESS (Employee Self-Service)
In ESS module, user inputs are not sanitized properly, leading to XSS
vulnerability.
Exploiting this vulnerability would allow a malicious ESS user to gain
administrative privileges.


3.1.2. Stored XSS in the public-accessible jobs.php
module
In the recruitment module, user inputs are not sanitized properly, 
leading to
XSS vulnerability.
Exploiting this vulnerability would allow an unauthenticated attacker to 
gain
user or administrator privileges.

3.1.3. Reflected XSS
Some of the AJAX responses are not sanitized, leading to reflected XSS
vulnerability.

3.1.4. SQL injection
There are several places in the software where authenticated ESS users
can perform SQL injection attacks.
Successful exploitation of this vulnerability can lead to unauthorized 
access
to sensitive data, or arbitrary code execution.

3.1.5. CSRF and PHP code injection
There are no security measures implemented in the software against CSRF
attacks. If a remote attacker can trick an administrator to visit a 
malicious
site, the attacker can perform privileged operations, or exploit PHP code
injection vulnerability that can be found in the mail administration module.
Successful exploitation of these vulnerabilities can lead to arbitrary code
execution.

3.1.6. Authorization vulnerabilities
The Timesheet, Attendance, HSP, Recruitment, and Leave modules
contains bugs in the authorization code, that may make possible to
authenticated ESS users to access sensitive information, or perform
privileged operations.

4. Solution
We are not aware of any official fixes.

5. Workaround
Workarounds for some of these vulnerabilities can be implemented through
a Web Application Firewall, for example ModSecurity™ with the Core Rule
Set (CRS).
When using ModSecurity™: make sure you have enabled XSS and SQL
injection protection rules, and SecRequestBodyAccess is set (it is off by
default). CSRF protection can be implemented as described here:
http://knol.google.com/k/preventing-cross-site-request-forgeries-csrf-usingmodsecurity
.
One should consider revoking write access on lib/confs/mailConf.php from
the apache user (after doing so, OrangeHRM mail configurations can not be
modified from admin menu).
The session encryption features of suhosin PHP extension can make
session hijacking attacks harder as well.


6. Timeline
06/04/2010 – Vulnerabilities discovered
09/04/2010 – First attempt to contact vendor
19/04/2010 – Second attempt to contact vendor
10/05/2010 – Public disclosure

7. Credits
These vulnerabilities were discovered by Tamás Czigány and Laszlo Klock.

8. About us
SecurityAngel is the vulnerability research lab of kancellar.hu.
kancellar.hu is Hungary’s market leading information security private
limited company. The company offers full scope information security
services to its customers, performs audits, delivers end-to-end security
systems, tools, and solutions. Since its foundation in 2002, its revenues
have increased by more than tenfold. According to the survey conducted by
Deloitte, kancellar.hu was one of the 50 most dynamically developing
Central European companies for two years in a row in 2008 and 2009, and
one of the 500 most quickly growing companies in the EMEA region.

9. Legal notices
Disclaimer: The information in the advisory is believed to be accurate 
at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There
are no warranties with regard to this information. Neither the author 
nor the
publisher accepts any liability for any direct, indirect, or 
consequential loss
or damage arising from use of, or reliance on, this information.
The product names used in this document are for identification purposes
only. All trademarks and registered trademarks are the property of their
respective owners.