header-logo
Suggest Exploit
vendor:
Jobberbase
by:
Ross Marks
7.5
CVSS
HIGH
Multiple
200
CWE
Product Name: Jobberbase
Affected Version From: 2
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:jobberbase
Metasploit:
Other Scripts:
Platforms Tested:

Jobberbase Vulnerabilities

1) Local path disclosure - changing a variable to an array can reveal the local path where the application is installed. 2) Open redirect - the 'Referer' header can be manipulated to redirect to any URL. 3) Reflected XSS in username and search fields. 4) Persistent XSS on admin backend homepage and in category name. 5) Unrestricted file upload allows uploading any file type. 6) Code execution race condition during file upload. 7) SQL injection in the 'days_behind' parameter of the getJobs API.

Mitigation:

1) Sanitize user input to prevent local path disclosure. 2) Validate and sanitize user input for redirect URLs. 3) Implement proper input validation and output encoding to prevent XSS attacks. 4) Implement input validation and output encoding to prevent persistent XSS attacks. 5) Implement file type validation and use secure randomization methods for file names. 6) Move uploaded files to the final directory without giving attackers an opportunity to execute code. 7) Use prepared statements or parameterized queries to prevent SQL injection attacks.
Source

Exploit-DB raw data:

Jobberbase:			http://www.jobberbase.com/
Version:			2.0
By Ross Marks: 		http://www.rossmarks.co.uk

1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
	eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
	returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>

2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there

3) reflect XSS in username - http://example.com/admin/
		eg. "><script>alert(1)</script>
	reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/

4) persistant XSS on admin backend homepage
		create a job and give the URL:
		" onhover="alert(1)
	persistant XSS - admin add to category name (no protection)

5) unrestricted file upload
	upload CV accepts any filetype appends _ uniqueid() to filename
	eg. "file.php" becomes "file_<uniqueid>.php"
	uniquid in in insecure method for generating random sequences and is based on microtime
	if the server is using an older version of PHP a null byte can be used 
	ie. "test.php%00.php" would be uploaded as "test.php"

6) code execution race condition:
	if the admin has chosen to not store uploaded CV's 
	they are first moved from /tmp to the writable /upload directory before being unlinked
	this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted

7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
	days_behind parameter is vulnerable

** notes **

admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere

Navigation

Suggest Exploit

Services By CQR