{"id": "EDB-ID:14027", "type": "exploitdb", "bulletinFamily": "exploit", "title": "ActiveCollab 2.3.0 - Local File Inclusion / Directory Traversal", "description": "ActiveCollab 2.3.0 Local File Inclusion / Directory Traversal. Webapps exploit for php platform", "published": "2010-06-24T00:00:00", "modified": "2010-06-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/14027/", "reporter": "Jose Carlos de Arriba", "references": [], "cvelist": [], "lastseen": "2016-02-01T18:59:35", "viewCount": 6, "enchantments": {"score": {"value": -0.6, "vector": "NONE", "modified": "2016-02-01T18:59:35", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-01T18:59:35", "rev": 2}, "vulnersScore": -0.6}, "sourceHref": "https://www.exploit-db.com/download/14027/", "sourceData": "============================================================\r\nPAINSEC SECURITY RESEARCH GROUP SECURITY ADVISORY 2010-001\r\n- Original release date: June 24th, 2010\r\n- Discovered by: Jose Carlos de Arriba (dade (at) painsec (dot) com)\r\n- Severity: 10/10 (Base CVSS Score)\r\n============================================================\r\n\r\nI. VULNERABILITY\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nActiveCollab 2.3.0 Local File Inclusion / Directory Traversal (prior\r\nversion hasn\u2019t been checked so are probably vulnerable).\r\n\r\nII. BACKGROUND\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nActiveCollab is a non-free project management & collaboration tool\r\nthat you can\r\nset up on your own server or local network. Work with your team,\r\nclients and contractors in an easy to use environment, while keeping\r\nfull control over your data.\r\n\r\nIII. DESCRIPTION\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nActiveCollab presents a Local File Inclusion / Directory Traversal\r\nvulnerability on its \u201cmodule\u201d parameter, due to an insufficient\r\nsanitization on user supplied data.\r\n\r\nA malicious user could get all the files in the web server, and also\r\nget all a shell in the system, in case of being able to write PHP code\r\nin any file that could be loaded through the \u201cmodule\u201d parameter\r\n(i.e Apache logs).\r\n\r\nIV. PROOF OF CONCEPT\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nhttp://www.victim.com/active/index.php?action=DetailView&module=/../../../../../../../etc/passwd%00<http://www.victim.com/active/index.php?action=DetailView&module=/../..>\r\n\r\nV. BUSINESS IMPACT\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nAn attacker could get all files in the server or gain complete access.\r\n\r\nVI. SYSTEMS AFFECTED\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nActiveCollab 2.3.0 (prior version hasn\u2019t been checked so are probably\r\nvulnerable).\r\n\r\nVII. SOLUTION\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nCorrected\r\n\r\nVIII. REFERENCES\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nhttp://www.activecollab.com\r\nhttp://www.painsec.com\r\nhttp://www.dadesecurity.com\r\n\r\nIX. CREDITS\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nThis vulnerability has been discovered\r\nby Jose Carlos de Arriba (dade (at) painsec (dot) com).\r\n\r\nX. REVISION HISTORY\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nJune 24, 2010: Initial release.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nJune 9, 2010: Discovered by Jose Carlos de Arriba (Dade).\r\nJune 19, 2010: Vendor contacted including PoC. No response.\r\nJune 20, 2010: Response from ActiveCollab developer confirming\r\nfuture fix.\r\nJune 24, 2010: Vulnerability fixed on 2.3.1 version release.\r\n\r\nXII. LEGAL NOTICES\r\n\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014-\r\nThe information contained within this advisory is supplied \u201cas-is\u201d\r\nwith no warranties or guarantees of fitness of use or otherwise.", "osvdbidlist": ["65800"]}

{}