Summary
This host is installed with IceHrm and
is prone to multiple vulnerabilities.
Impact
Successful exploitation will allow attacker
to execute arbitrary script code in the context of the vulnerable site, potentially allowing the attacker to steal cookie-based authentication credentials, upload arbitrary files to the affected application, read and write arbitrary files in the context of the user running the affected application, and obtain potentially sensitive information.
Impact Level: Application
Solution
Upgrade to IceHrm 7.2 or later,
For updates refer to http://www.icehrm.com
Insight
Flaws are due to,
- The service.php script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../../') supplied to the 'file' parameter.
- The index.php script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../../') supplied to the 'n' and 'g' parameters.
- The fileupload.php script does not properly verify or sanitize user-uploaded files via the 'file_name' POST parameter.
- The login.php script does not validate input to the 'key' parameter before returning it to users.
- The fileupload_page.php script does not validate input to the 'id', 'file_group', 'user' and 'msg' parameter before returning it to users.
- The /data/ folder that is due to the program failing to restrict users from making direct requests to profile images for users or employees.
- The HTTP requests to service.php do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions.
Affected
IceHrm version 7.1 and prior.
Detection
Send a crafted request via HTTP GET and
check whether it is able to read cookie or not.
References
