ActiveCollab 2.3.0 – Local File Inclusion / Directory Traversal

• Exploit Database
• 12 阅读

• 作者： Jose Carlos de Arriba
  日期： 2010-06-24
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/14027/

• ============================================================
  PAINSEC SECURITY RESEARCH GROUP SECURITY ADVISORY 2010-001
  - Original release date: June 24th, 2010
  - Discovered by: Jose Carlos de Arriba (dade (at) painsec (dot) com)
  - Severity: 10/10 (Base CVSS Score)
  ============================================================
  
  I. VULNERABILITY
  ————————-
  ActiveCollab 2.3.0 Local File Inclusion / Directory Traversal (prior
  version hasn’t been checked so are probably vulnerable).
  
  II. BACKGROUND
  ————————-
  ActiveCollab is a non-free project management & collaboration tool
  that you can
  set up on your own server or local network. Work with your team,
  clients and contractors in an easy to use environment, while keeping
  full control over your data.
  
  III. DESCRIPTION
  ————————-
  ActiveCollab presents a Local File Inclusion / Directory Traversal
  vulnerability on its “module” parameter, due to an insufficient
  sanitization on user supplied data.
  
  A malicious user could get all the files in the web server, and also
  get all a shell in the system, in case of being able to write PHP code
  in any file that could be loaded through the “module” parameter
  (i.e Apache logs).
  
  IV. PROOF OF CONCEPT
  ————————-
  http://www.victim.com/active/index.php?action=DetailView&module=/../../../../../../../etc/passwd%00<http://www.victim.com/active/index.php?action=DetailView&module=/../..>
  
  V. BUSINESS IMPACT
  ————————-
  An attacker could get all files in the server or gain complete access.
  
  VI. SYSTEMS AFFECTED
  ————————-
  ActiveCollab 2.3.0 (prior version hasn’t been checked so are probably
  vulnerable).
  
  VII. SOLUTION
  ————————-
  Corrected
  
  VIII. REFERENCES
  ————————-
  http://www.activecollab.com
  http://www.painsec.com
  http://www.dadesecurity.com
  
  IX. CREDITS
  ————————-
  This vulnerability has been discovered
  by Jose Carlos de Arriba (dade (at) painsec (dot) com).
  
  X. REVISION HISTORY
  ————————-
  June 24, 2010: Initial release.
  
  XI. DISCLOSURE TIMELINE
  ————————-
  June 9, 2010: Discovered by Jose Carlos de Arriba (Dade).
  June 19, 2010: Vendor contacted including PoC. No response.
  June 20, 2010: Response from ActiveCollab developer confirming
  future fix.
  June 24, 2010: Vulnerability fixed on 2.3.1 version release.
  
  XII. LEGAL NOTICES
  ————————-
  The information contained within this advisory is supplied “as-is”
  with no warranties or guarantees of fitness of use or otherwise.