Security Report: A Remote Code Execution (RCE) vulnerability exists in icehrm via "/app/install/"

gamonoid / icehrm

Manage your employees easily with a robust and efficient Human Resource Management System

http://icehrm.com

Other

565 stars 367 forks source link

Security Report: A Remote Code Execution (RCE) vulnerability exists in icehrm via "/app/install/" #303

Closed tuando243 closed 2 years ago

tuando243 commented 2 years ago

A Remote Code Execution (RCE) vulnerability exists in icehrm via "/app/install/".

Step to exploit:

Navigate to IceHRM Installation: http://localhost/icehrm/app/install.
Insert payload "data/icehrm.log');phpinfo();#" to Log file path and then Install Application.
Visit http://localhost/icehrm/app

Screenshot 2022-04-09 at 12 30 49

Screenshot 2022-04-09 at 12 27 51

thilinah commented 2 years ago

This issue is fixed with v32.1. But I think this is not very critical since it won't affect once the installation is completed and the installation is done by an admin.