* OrangeHRM 2.7.1-rc.1 and prior
A SQL injection vulnerability has been discovered in OrangeHRM, which could be exploited to alter SQL requests to the application's database.
1) SQL Injection Vulnerability in Orange HRM: CVE-2012-5367
The vulnerability was discovered in the "/symfony/web/index.php" script while handling the "sortField" HTTP GET parameter.
Successful exploitation of this vulnerability requires administrative privileges, however it can be exploited by a non-authenticated user via CSRF vector, as the above-mentioned script is also vulnerable to CSRF attack.
The vulnerability could be triggered by accessing the following URIs:
The PoC codes below are based on DNS Exfiltration technique and can be used in cases when application's database is hosted on a Windows system. The PoCs will send a DNS request demanding IP addess for `version()` (or any other sensitive information from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):