ghost
commented
3 years ago Hello, this is an important SECURITY ISSUE. I can NOT RECOMMEND to use IceHrm until this immediately security issue is fixed! @gamonoid @icehrm
Open lankasomayajulu opened 3 years ago
ghost
commented
3 years ago Hello, this is an important SECURITY ISSUE. I can NOT RECOMMEND to use IceHrm until this immediately security issue is fixed! @gamonoid @icehrm
ghost
commented
3 years ago Due to this immedietely issue, I have switched the HRM Software to another one.
thilinah
commented
3 years ago This is nothing to do with icehrm. You first need to make your data directory non-indexable and set correct permissions for the directory. @roadtrip-max if you don't know how to store files securely on your web server changing the HR software won't help. If you need you can use Amazon S3 as your file storage.
thilinah
commented
3 years ago @lankasomayajulu there are some improvement that can be done to how files are stored in IceHrm. We will add these improvements to the next release of IceHrm.
If you prefer using S3, In order to switch to AWS S3, follow these steps.
Execute following query
INSERT INTO `Settings` (`name`, `value`, `description`, `meta`, `category`) VALUES
('Files: Upload Files to S3', '0', '','["value", {"label":"Value","type":"select","source":[["1","Yes"],["0","No"]]}]', 'System'),
('Files: Amazon S3 Key for File Upload', '', 'Please provide S3 Key for uploading files','','System'),
('Files: Amazone S3 Secret for File Upload', '', 'Please provide S3 Secret for uploading files','','System'),
('Files: S3 Bucket', '', 'Please provide S3 Bucket name for uploading files','','System'),
('Files: S3 Web Url', '', 'Please provide Url to the s3 bucket','','System');Then these settings will appear under System->Settings-System tab.
Files: Upload Files to S3 to the bucket name. (e.g icehrm-files)Files: Amazon S3 Key for File Upload and Files: Amazone S3 Secret for File Upload.Files: S3 Web Url to the URL of the bucket (e.g https://bucket.s3.amazonaws.com/). You can find this from AWS S3 consoleFiles: Upload Files to S3 is set to 1us-east-1, Add a line to icehrm/app/config.php to define it.
define('AWS_REGION', 'us-east-2');icehrm/app/data folder completely
For an example in nginx
server {
location ^~ /app/data/ {
deny all;
return 403;
}
...
}
cameronglegg
commented
2 years ago @thilinah This is great. Thank you for the walk through.
My upload attachment "Choose File" button is disappearing when I go to upload a file now. It does not add the file to the s3 bucket and my IAM user is never called. Any thoughts?
I am able to disable the s3 file upload and return to loading documents straight onto the sever.
thilinah
commented
2 years ago Setting Files: Upload Files to S3 to No, via the settings module would let you upload files to the server again.
For debugging S3 file uploads
AWS_REGION is correctBut the error log should reveal what your issue is.
cameronglegg
commented
2 years ago @thilinah
Thank you. I was able to find out that php-curl had not been installed.
Unfortunately I am now receiving this error.
<Error>
<Code>InvalidRequest</Code>
<Message>The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.</Message>
<RequestId>RVSM0Q11HQ5RTFC3</RequestId>
<HostId>klNXGfLYdtMTvvPyx0c47Zq3V90htGDP4jEFLSDHqoAn1WgmdtiUjcrdVSIft5qE4pvBz+mwy3M=</HostId>
</Error>Any help is appreciated.
Full Log:
Stack trace:
#0 phar:///var/www/html/icehrm/core/lib/aws.phar/Aws/Common/Client/AbstractClient.php(76): Guzzle\Http\Client->__construct()
#1 phar:///var/www/html/icehrm/core/lib/aws.phar/Aws/Common/Client/ClientBuilder.php(252): Aws\Common\Client\AbstractClient->__const>#2 phar:///var/www/html/icehrm/core/lib/aws.phar/Aws/S3/S3Client.php(206): Aws\Common\Client\ClientBuilder->build()
#3 /var/www/html/icehrm/core/src/Classes/S3FileSystem.php(24): Aws\S3\S3Client::factory()
#4 /var/www/html/icehrm/core/fileupload.php(161): Classes\S3FileSystem->__construct()
#5 /var/www/html/icehrm/app/fileupload.php(3): include('/var/www/html/i...')
#6 {main}
thrown in phar:///var/www/html/icehrm/core/lib/aws.phar/Guzzle/Http/Client.php on line 72
[2021-09-16 22:52:49] Ice Hrm.ERROR: (client=app) The authorization mechanism you have provided is not supported. Please use AWS4-HM>[2021-09-16 22:52:49] Ice Hrm.ERROR: (client=app) Aws\S3\Exception\InvalidRequestException: AWS Error Code: InvalidRequest, Status C>[2021-09-16 22:52:49] Ice Hrm.INFO: (client=app) Response from s3 file sys: [] []
[2021-09-16 22:55:48] Ice Hrm.ERROR: (client=app) The authorization mechanism you have provided is not supported. Please use AWS4-HM>[2021-09-16 22:55:48] Ice Hrm.ERROR: (client=app) Aws\S3\Exception\InvalidRequestException: AWS Error Code: InvalidRequest, Status C>[2021-09-16 22:55:48] Ice Hrm.INFO: (client=app) Response from s3 file sys: [] []
[2021-09-16 23:00:50] Ice Hrm.ERROR: (client=app) The authorization mechanism you have provided is not supported. Please use AWS4-HM>[2021-09-16 23:00:50] Ice Hrm.ERROR: (client=app) Aws\S3\Exception\InvalidRequestException: AWS Error Code: InvalidRequest, Status C>[2021-09-16 23:00:50] Ice Hrm.INFO: (client=app) Response from s3 file sys: [] []This is the link for the Sig4 Header Documentation
Dear IceHrm Team, This is related to a security issue I came across when dealing with IceHrm. The app/data folder has a permission level of 777 and also if I know the file name (attachment name), I can access the file without any login. This is a security issue, which I would like to know if the IceHrm team can deal with in the future.
Thanks, Lanka