BambooHR is written in PHP and as it is widely known PHP allows incompetent programmers to create insecure websites. The majority of BambooHR pages are loaded by referencing a page ID, for example, you can access this URL [1] to render a form that allows you to send documents to arbitrary e-mail addresses, and this URL [2] allows you to edit your own profile.
So far so good, if you are a competent PHP programmer (or any other programming language) you make sure these IDs are not consecutive to avoid enumeration attacks, but even if they are part of a guessable sequence you can still secure them by restricting access to all pages except the ones associated to the user ID in the session.
The vulnerabilities I found were a combination of Path Traversal [3], Forced Browsing [4] and Stored Cross Site Scripting [5] that allowed anyone to 1) force a specific PHP file to load arbitrary pages, 2) access data associated to other employee identifiers and 3) send all documents associated to these employee IDs to arbitrary emails by accessing the “Email File” page and crafting a simple HTTP request to bypass a rudimentary form validation.
When I told my boss he continued the investigation and found that we could access certain amount of data associated to employees registered in other subdomains. People who are familiar with BambooHR will understand how stupid this specific problem is considering each subdomain is isolated from the others, so one would expect them to isolate the databases as well.
I don’t know anything about the architecture of their system so I cannot explain why these security holes allowed us to access data from other companies. I was very scared to continue digging into it and my boss was super pissed off. We didn’t know if they used soft deletes so instead of removing the company’s data we decided to edit it with garbage information, then we migrated to another system.
And that was the end of our story with them. We never reported the problems because I started my “research” without previous authorization from BambooHR so if we reported our findings they could sue my employer and we would be in bigger problems. Same thing happened when we found a vulnerability on HipChat [6] in 2014 or so, we reported it and they got super angry at us for conducting that penetration test without permission, the company made an agreement with them and we migrated to Slack.
Good luck to anyone whose employer is still using BambooHR to manage their employee database.
> PHP allows incompetent programmers to create insecure websites.
The points you bring up are good but my first instinct was to distrust you as you opened with that. I don't believe any specific shortcoming of PHP makes these issues more or less likely. Anyone can make an insecure website in any language.
Secondly I don't think I quite agree with the ethics of dropping a security vulnerability in a public forum. I think you should edit this message to remove the details and go through the proper channels to get this resolved, if it is indeed still a problem.
Bare PHP (without any framework) and the tons of bad advice surrounding it make it easier to screw up than other languages where it's very hard to do web development without a framework so most beginners start off with a framework directly which provides structure and guard-rails against doing insecure things.
I mean, you're not wrong, but starting the post off by insulting PHP is childish and doesn't inspire trust that the rest of the report is worth reading.
Personally, the ethics of it are secondary to the fact that BambooHR could, sue HN to recover the IP address guessmyname used to post, followed by suing their ISP to get an address, and then trawl through their records/backups to link it to an individual. Now, BambooHR may not be run by assholes (I've never encountered them before), and choose to fix the bug quietly rather than go after "guessmyname" with a lawsuit, but companies are not known for being especially insightful when computer security comes up. (Such as the HipChat example mentioned.)
Hopefully guessmyname always uses VPN/public hotspot to access this site, if it turns out that BambooHR is run by litigious jerks.
