This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter key.
The input to key GET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.
The payload passed fm gets sanitized by PHP code. This could be bypassed by adding an extra GET param content with the value HTML. Thus backend will not sanitize any user input.
This vulnerability is capable of script execution on the victim's browser.
It's possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
Important note :
This vulnerability was reported to the maintainers on Nov 23rd, 2021, and there has been no response yet. So, I infer it makes sense to publish it publicly here for the good sake of everyone who is using this software actively.
Description
DOM XSS in login.php GET parameter
key
. The input tokey
GET parameter is unsanitized as required for the context (javascript context ), and gets reflected in the DOM.Proof of Concept
Occurrence 1 : Request param
key
Request:
Follow the link : https://icehrmpro.gamonoid.com/login.php?key=%27;alert(document.cookie)// to test this vulnerability on the live demo version of the website.
Occurence 2 : Request param
fm
The payload passed
fm
gets sanitized by PHP code. This could be bypassed by adding an extra GET paramcontent
with the valueHTML
. Thus backend will not sanitize any user input.Follow the link : https://icehrmpro.gamonoid.com/login.php?f=boo&fm=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E&content=HTML to test this vulnerability on the live demo version of the website.
Impact
This vulnerability is capable of script execution on the victim's browser. It's possible to run a keylogger script and capture password of the victim user who tries to login by typing in thier credentials.
References
https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/07-Input_Validation_Testing/01-Testing_for_Reflected_Cross_Site_Scripting
Occurrences
1. HTML sanitization can be bypassed with an extra
content=HTML
GET paramhttps://github.com/gamonoid/icehrm/blob/master/core/login.php#L357-L361
2.
https://github.com/gamonoid/icehrm/blob/f44b9ec8dd60f42c9e94ac78c55d82244b74b4db/core/login.php#L213-L219