Multiple Vulnerabilities in Simple HRM system v2.3 and below

vendor:

Simple HRM System

by:

Doraemon

7,5

CVSS

HIGH

SQL Injection, Cookie Spoofing

89, 522

CWE

Product Name: Simple HRM System

Affected Version From: 2.2

Affected Version To: 2.3

Patch Exists: NO

Related CWE: CVE-2013-2498, CVE-2013-2499

CPE: 2.3:a:simplehrm:simple_hrm_system:2.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: 2.2 & 2.3

2013

Multiple Vulnerabilities in Simple HRM system v2.3 and below

Simple HRM system is vulnerable to sqli attacks in their login page. An attacker can perform blind sql injection through the login form and obtain information such as password hash. Additionally, if an attacker were to grab hold of the user's password hash, the attacker can easily spoof a cookie and impersonate as anyone to access the system. Together with the blind sql injection stated above, an attacker can simply blind the password hash, userid, username and recreate a cookie. This vuln effectively defeats one of the primary purposes of password hashing.

Mitigation:

Sanitize user input and use secure authentication methods.

Source

Exploit-DB raw data:

# Exploit Title: Multiple Vulnerabilities in Simple HRM system v2.3 and
below
# Date: 12/04/2013
# Exploit Author: Doraemon
# Vendor Homepage: http://www.simplehrm.com/
# Software Link: http://sourceforge.net/projects/simplehrm/
# Version: 2.2/2.3
# Tested on: 2.2 & 2.3
# CVE : CVE-2013-2498, CVE-2013-2499

Date Discovered: 07 March 2013

Vendor notified: 12 march 2013 (No response from vendor after 1 month)

Advisory posted: 12 April 2013

*
*

*CVE-2013-2498*

Simple HRM system is vulnerable to sqli attacks in their login page

An attacker can perform blind sql injection through the login form and
obtain information such as password hash.

*Attack URL:* http://localhost/simplehrm/index.php/user/setLogin
*Method:* POST
*Vuln Parameter: *username=*(SQL INJECTION)*&password=abcdef
*Vuln Type*: unsanitised input argument *($name)* in
*Vuln **File:* simlehrm/flexycms/modules/user/user_manager.php
*Line:* 84
$res_company = getsingleindexrow('CALL
get_search_sql("'.TABLE_PREFIX.'company","email_id = \''.$name.'\' AND
isactive = 1 LIMIT 1")');

*CVE-2013-2499*

We discovered that if an attacker were to grab hold of the user's password
hash, the attacker can easily spoof a cookie and impersonate as anyone to
access the system. Together with the blind sql injection stated above, an
attacker can simply blind the password hash, userid, username and recreate
a cookie.

*Vuln **File:* simlehrm/flexycms/modules/user/user_manager.php
*Line:* 215 $v_user_password =
md5($info['id_user'].$info['username'].$info['password']);

This vuln effectively defeats one of the primary purposes of password hashing.


Regards

Doraemon