PHPCollab version 2.5 fails to properly block access to data on the system.
ad1e859a0053e07ee00038c1f82d65922620560b4eba951b6f1db6e5b2ee29a5
# Date: 3/5/2012
# Author: team ' and 1=1--
# Software Link: http://www.phpcollab.com/
# Version: 2.5
# Vulnerability was found during the AthCon IT Security Conference CTF
#CTF organizer: echothrust
We identified that the PhpCollab application installed under
http://192.0.0.2/phpcollab/ allows the unauthenticated access of all
authenticated content. Specifically when requesting a URL that requires
authentication, such as:
http://192.0.0.2/phpcollab/clients/listclients.php, the server responds
with a redirect (location header) to '../index.php?session=false', which
displays a session error and the login form. However upon inspecting the
response of the request, we can clearly see that all the application data
is returned. This issue allows us to access a number of PhpCollab pages
without any authentication (it must be noted that some of the
administration pages are not available when exploiting the issue). As an
example by using the following command an attacker can retrieve the phpinfo
of the server:
curl -i http://192.0.0.2/phpcollab/administration/phpinfo.php
phpinfo reveals that the system is:
Linux lamp.acmesec.fake 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC
2011 i686