header-logo
Suggest Exploit
vendor:
ACollab
by:
AmnPardaz Security Research Team
7,5
CVSS
HIGH
SQL Injection, Authentication Bypass
89, 287
CWE
Product Name: ACollab
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Web-based
N/A

ACollab Multiple Vulnerabilities

ACollab as described by its vendor is an accessible, open source, multi-group, Web-based collaborative work environment. ACollab is available as a standalone collaborative work environment that will run on its own. ACollab is ideal for groups working at a distance developing documentation, collaborating on research, or writing joint papers. All of the parameters are sanitized correctly before being used in SQL queries else of the POST parameters 'login' and 'password' in the 'sign_in.php' page. These parameters can be used for injecting arbitrary SQL queries; the 'login' parameter is single quoted and the 'password' parameter is single parenthesized, single quoted. The ACollab CMS uses two mechanism for authentication. One for master admin user which is based on a hard coded username/password initialized in the installation process. And a DB-based authentication for all other users, including the group administrators which can add/remove/edit all posts and news and ... from forums and first screen of the website. The second authentication mechanism can be bypassed. Go to the sign in page at 'victim.net/ACollab/sign_in.php' and use the following vectors for injecting your desired SQL query, namely $Q: - In the Username field (login POST parameter): ' or $Q or ''=' - In the Passwrod field (password POST parameter): ' or $Q or ''=' Go to the sign in page at 'victim.net/ACollab/sign_in.php' and use the following vectors for bypassing the authentication: - In the Username field (login POST parameter): ' or 1=1 or ''=' - In the Passwrod field (password POST parameter): ' or 1=1 or ''='

Mitigation:

N/A
Source

Exploit-DB raw data:

##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:		ACollab Multiple Vulnerabilities
# Vendor:		http://www.atutor.ca/acollab
# Vulnerable Version:	1.2 (Latest version till now)
# Exploitation:		Remote with browser
# Fix:					N/A
###################################################################################

####################
- Description:
####################

ACollab as described by its vendor is an accessible, open source,  
multi-group, Web-based collaborative
work environment. ACollab is available as a standalone collaborative  
work environment that will run on
its own. ACollab is ideal for groups working at a distance developing  
documentation, collaborating on
research, or writing joint papers.


####################
- Vulnerability:
####################

+--> SQL Injection
	All of the parameters are sanitized correctly before being used in  
SQL queries else of
	the POST parameters 'login' and 'password' in the "sign_in.php" page.  
These parameters
	can be used for injecting arbitrary SQL queries; the 'login'  
parameter is single quoted
	and the 'password' parameter is single parenthesized, single quoted.

+--> Authentication Bypass
	The ACollab CMS uses two mechanism for authentication. One for master  
admin user which is
	based on a hard coded username/password initialized in the  
installation process. And a DB-based
	authentication for all other users, including the group  
administrators which can add/remove/edit
	all posts and news and ... from forums and first screen of the  
website. The second authentication
	mechanism can be bypassed.

####################
- Exploits/PoCs:
####################

+--> Exploiting The (MySQL) SQL Injection Vulnerability:
	Go to the sign in page at "victim.net/ACollab/sign_in.php" and use  
the following vectors for injecting
	your desired SQL query, namely $Q:
	  - In the Username field (login POST parameter): ' or $Q or ''='
	  - In the Password field (password POST parameter): ') or $Q or (''='

+--> Exploiting The Authentication Bypass Vulnerability:
	You can login as anyone of the registered users of ACollab CMS by  
providing following vector
	as username and nothing as password:
	  'or''='' limit 1 offset 0 -- '
	Above vector will log you as the first user according to its member  
id order. You can login as other
	users, searching for a group administrator account, by following vectors:
	  'or''='' limit 1 offset 0 -- '
	  'or''='' limit 1 offset 1 -- '
	  'or''='' limit 1 offset 2 -- '
	    ....

####################
- Solution:
####################

Add the following command
     $_POST['login'] = addslashes ($_POST['login']);  
$_POST['password'] = addslashes ($_POST['password']);
at the line 46 of 'sign_in.php' file.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_72.htm

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

Navigation

Suggest Exploit

Services By CQR