Horilla HRMS Unrestricted File Upload Vulnerability Leading to Stored Cross-Site Scripting and Session Hijacking

A vulnerability in Horilla, a free and open-source Human Resource Management System, allows for unrestricted file uploads that bypass client-side validation. Prior to version 1.4.0, the file upload process only validated files in the browser and lacked proper server-side checks. This flaw enables an attacker to upload an executable HTML document to the server. When an administrator or privileged user accesses the file, the embedded script executes in their context, sending session cookies or other credentials to an attacker-controlled endpoint. The attacker can then use these credentials to impersonate the admin.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where uploaded files execute scripts in the context of the user viewing them, and session hijacking, as the attacker can steal session cookies to impersonate the admin.

Reproduction

To reproduce this vulnerability, upload a file through the reimbursement panel that exploits the insufficient validation by the server. Use an intercepting proxy to remove client-side validation checks, allowing the upload of a malicious HTML document. Once the file is uploaded, have an administrator or privileged user view it. The embedded script will execute, sending session cookies to an external server controlled by the attacker.

Remediation

Users are advised to update to Horilla version 1.4.0, which addresses this vulnerability by implementing proper server-side validation in the file upload process.