Jobberbase 2.0 - Multiple Vulnerabilities

ID 1337DAY-ID-25313
Type zdt
Reporter Ross Marks
Modified 2016-09-08T00:00:00


Exploit for php platform in category web applications

Version:            2.0
By Ross Marks:
1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
    returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>
2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there
3) reflect XSS in username -
        eg. "><script>alert(1)</script>
    reflect XSS in search:|<img src="x" onError="alert(1)">/
4) persistant XSS on admin backend homepage
        create a job and give the URL:
        " onhover="alert(1)
    persistant XSS - admin add to category name (no protection)
5) unrestricted file upload
    upload CV accepts any filetype appends _ uniqueid() to filename
    eg. "file.php" becomes "file_<uniqueid>.php"
    uniquid in in insecure method for generating random sequences and is based on microtime
    if the server is using an older version of PHP a null byte can be used 
    ie. "test.php%00.php" would be uploaded as "test.php"
6) code execution race condition:
    if the admin has chosen to not store uploaded CV's 
    they are first moved from /tmp to the writable /upload directory before being unlinked
    this gives a brief window of opportunity for an attacker to run before it is deleted
7) SQL injection in
    days_behind parameter is vulnerable
** notes **
admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere

# [2018-01-26]  #