Horilla HRMS File Upload Vulnerability Leading to Phishing and Account Takeover

A critical file upload vulnerability has been identified in Horilla, a free and open-source Human Resource Management System (HRMS), affecting versions prior to 1.5.0. This vulnerability allows authenticated users to upload malicious HTML files disguised as profile pictures. Once uploaded, these files can be used to create convincing phishing pages that replicate the login interface, tricking users into entering their credentials. The captured information is then sent to the attacker's server, facilitating account takeover. Version 1.5.0 addresses this vulnerability.

Impact

Exploitation of this vulnerability allows for credential harvesting and account takeover. Attackers can access sensitive HR data, including personal information, payroll records, and administrative controls, potentially leading to data breaches, financial fraud, and operational disruptions.

Reproduction

To reproduce this vulnerability, an authenticated user with the ability to update profile photos can upload a malicious HTML file by intercepting the profile photo update request with a proxy. After uploading the file, the attacker can share the link with a target, who will see a realistic 'Session Expired' message. When the victim enters their credentials, the attacker receives the login information through a listener.

Remediation

Users are advised to update to Horilla version 1.5.0, which patches this vulnerability.