IceHrm <=7.1 Multiple Vulnerabilities

Title: IceHrm <=7.1 Multiple Vulnerabilities
Advisory ID: ZSL-2014-5215
Type: Local/Remote
Impact: System Access, Cross-Site Scripting, Exposure of System Information, Exposure of Sensitive Information
Risk: (5/5)
Release Date: 08.12.2014
Summary
IceHrm is Human Resource Management web software for small and medium sized organizations. The software is written in PHP. It has community (free), commercial and hosted (cloud) solution.
Description
IceHrm <= 7.1 suffers from multiple vulnerabilities including Local File Inclusion, Cross-Site Scripting, Malicious File Upload, Cross-Site Request Forgery and Code Execution.
Vendor
IceHrm - http://www.icehrm.com
Affected Version
<= 7.1
Tested On
Apache/2.2.15 (Unix)
PHP/5.3.3
MySQL 5.1.73
Vendor Status
[01.12.2014] Vulnerabilities discovered.
[02.12.2014] Vendor contacted.
[02.12.2014] Vendor confirms the issues promising patch.
[04.12.2014] Vendor releases update (new version - v.7.2).
[05.12.2014] Vendor confirms the patch release.
[08.12.2014] Coordinated public security advisory released.
PoC
icehrm_multi.txt
Credits
Vulnerability discovered by Stefan Petrushevski - <stefan@zeroscience.mk>
References
[1] IceHRM - Release note v7.2
[2] http://cxsecurity.com/issue/WLB-2014120041
[3] http://packetstormsecurity.com/files/129416
[4] http://www.securityfocus.com/bid/71552
[5] http://1337day.com/exploit/22972
[6] https://www.yascanner.com/#!/x/20866
[7] http://osvdb.org/show/osvdb/115531
[8] http://osvdb.org/show/osvdb/115532
[9] http://osvdb.org/show/osvdb/115533
[10] http://osvdb.org/show/osvdb/115534
[11] http://osvdb.org/show/osvdb/115535
[12] http://osvdb.org/show/osvdb/115536
[13] http://osvdb.org/show/osvdb/115537
[14] http://www.exploit-db.com/exploits/35490/
[15] http://xforce.iss.net/xforce/xfdb/99242
Changelog
[08.12.2014] - Initial release
[09.12.2014] - Added reference [3], [4], [5], [6], [7], [8], [9], [10], [11], [12] and [13]
[10.12.2014] - Added reference [14]
[15.12.2014] - Added reference [15]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk