Zero Science Lab » IceHrm <=7.1 Multiple Vulnerabilities

IceHrm <=7.1 Multiple Vulnerabilities

Title: IceHrm <=7.1 Multiple Vulnerabilities
Advisory ID: ZSL-2014-5215
Type: Local/Remote
Impact: System Access, Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information
Risk: (5/5)
Release Date: 08.12.2014

Summary

IceHrm is Human Resource Management web software for small and medium sized organizations. The software is written in PHP. It has community (free), commercial and hosted (cloud) solution.

Description

IceHrm <= 7.1 suffers from multiple vulnerabilities including Local File Inclusion, Cross-Site Scripting, Malicious File Upload, Cross-Site Request Forgery and Code Execution.

Vendor

IceHrm - http://www.icehrm.com

Affected Version

<= 7.1

Tested On

Apache/2.2.15 (Unix)
PHP/5.3.3
MySQL 5.1.73

Vendor Status

[01.12.2014] Vulnerabilities discovered.
[02.12.2014] Vendor contacted.
[02.12.2014] Vendor confirms the issues promising patch.
[04.12.2014] Vendor releases update (new version - v.7.2).
[05.12.2014] Vendor confirms the patch release.
[08.12.2014] Coordinated public security advisory released.

PoC

icehrm_multi.txt

Credits

Vulnerability discovered by Stefan Petrushevski - <stefan@zeroscience.mk>

References

[1] IceHRM - Release note v7.2
[2] http://cxsecurity.com/issue/WLB-2014120041
[3] http://packetstormsecurity.com/files/129416
[4] http://www.securityfocus.com/bid/71552
[5] http://1337day.com/exploit/22972
[6] https://www.yascanner.com/#!/x/20866
[7] http://osvdb.org/show/osvdb/115531
[8] http://osvdb.org/show/osvdb/115532
[9] http://osvdb.org/show/osvdb/115533
[10] http://osvdb.org/show/osvdb/115534
[11] http://osvdb.org/show/osvdb/115535
[12] http://osvdb.org/show/osvdb/115536
[13] http://osvdb.org/show/osvdb/115537
[14] http://www.exploit-db.com/exploits/35490/
[15] http://xforce.iss.net/xforce/xfdb/99242

Changelog

[08.12.2014] - Initial release
[09.12.2014] - Added reference [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
[10.12.2014] - Added reference [14]
[15.12.2014] - Added reference [15]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk