Multiple vulnerabilities in OrangeHRM

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OrangeHRM, which can be exploited to perform SQL Injection and Cross-Site Scripting (XSS) attacks.

1. SQL Injection in OrangeHRM: CVE-2012-1506
   1.1 Input passed via the “hspSummaryId” GET parameter to /plugins/ajaxCalls/haltResumeHsp.php is not properly sanitised before being used in SQL “UPDATE” query. This vulnerability can be exploited by time-based blind SQL injection techniques to reveal sensitive information from the database.
   The following PoC (Proof of Concept) will cause a delay of the script execution if MySQL server version is 5.*:
   http://[host]/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hsp SummaryId=%27%20OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29 %29=5,%28select%20BENCHMARK%281000000,ENCODE%28%22hello%22,%22goodbye%22%29% 29%29,%272%27%29%29%20–%202
   Successful exploitation of this vulnerability requires attacker to be registered and logged-in.

2. Multiple Cross-Site Scripting (XSS) in OrangeHRM: CVE-2012-1507
   2.1 Input passed via the “newHspStatus” GET parameter to /plugins/ajaxCalls/haltResumeHsp.php is not properly sanitised before being returned to the user.
   This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of affected website.
   The following PoC (Proof of Concept) demonstrate the vulnerability:
   http://[host]/plugins/ajaxCalls/haltResumeHsp.php?hspSummaryId=1&newHspStatu s=1%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&empId=1
   2.2 Input passed via the “sortOrder” GET parameter to /templates/hrfunct/emppop.php is not properly sanitised before being returned to the user.
   This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of affected website.
   The following PoC (Proof of Concept) demonstrate the vulnerability:
   http://[host]/templates/hrfunct/emppop.php?reqcode=1&sortOrder1=%22%3E%3Cscr ipt%3Ealert%28document.cookie%29;%3C/script%3E
   2.3 Input passed via the “uri” GET parameter to /index.php is not properly sanitised before being returned to the user.
   This can be exploited to execute arbitrary HTML and script code in a administrator’s browser session in context of affected website.
   The following PoC (Proof of Concept) demonstrate the vulnerability:
   http://[host]/index.php?uri=%22%3E%3C/iframe%3E%3Cscript%3Ealert%28document. cookie%29;%3C/script%3E