Vulnerability Spotlight: SQL injection vulnerability in Glacies IceHRM

Yuri Kramarz of Cisco Talos discovered this vulnerability. Blog by Jon Munshaw.

Cisco Talos researchers recently discovered that the Glacies' IceHRM software contains a vulnerability that could allow an adversary to inject SQL. IceHRM is a human resource management tool, allowing

users to create and track timesheets for employees, upload documents and manage payroll. An attacker could send the software a specially crafted HTTP request, which can open the door for SQL injection. This could allow the attacker to access information such as usernames and password hashes stored in the software's database.

In accordance with our coordinated disclosure policy, Cisco Talos worked with Glacies to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Glacies IceHRM admin reports SQL injection vulnerability (TALOS-2020-1067/CVE-2020-6114)

An exploitable SQL injection vulnerability exists in the admin reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Read the complete vulnerability advisory here for additional information.

Versions tested

Talos tested and confirmed that this vulnerability affects IceHRM, version 26.6.0.OS (commit bb274de1751ffb9d09482fd2538f9950a94c510a).

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 53944, 53945