Description
Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52
If applicable:
Browser: Firefox
Describe the bug
A user can create a timesheet for a specific week by using the "Add Timesheet" functionality, after which the timesheet is accessible for editing and submission under the dropdown menu.
It was observed that when the employeeId parameter was set to any valid user's employee ID, a timesheet was created in that employee's account. The application verifies if a user has a valid session, but does not verify if a user is authorised to create a timesheet for a different employeeId. It is also possible to find out whether a timesheet has already been created for a specific week, by analysing the HTTP response.
To Reproduce
- Login to the OrangeHRM application as user A with
employeeIdas2 - Navigate to "Dashboard" > "My Timesheet"
- Click on "Add Timesheet"
- Turn on Intercept in Burp Suite (or any other web proxy)
- Click on the textbox and select any date, say 1900-03-02
- Click on "Ok"
- Go to the Burp Intercept tab and you will notice a GET request being made to the
/symfony/web/index.php/time/createTimesheetendpoint - Modify the value of
employeeIdparameter to a user B'semployeeId,4 - Click on Forward and turn off Intercept
- Login to user B's account
- Navigate to "Dashboard" > "My Timesheet"
- Click on the dropdown menu beside "Timesheet for Week"
- Notice that a new entry has been created with the date 1900-03-02
Expected behavior
"Credentials required" error.
What do you see instead:
The response body contains the date of the entry (1900-02-26).
Screenshots