lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 24 Jun 2010 00:54:10 +0200
From: Dade <dade@...nsec.com>
To: full-disclosure@...ts.grok.org.uk
Subject: [PainSec 2010-001]: ActiveCollab 2.3.0 Directory
	Traversal / Local File Inclusion

============================================================
PAINSEC SECURITY RESEARCH GROUP SECURITY ADVISORY 2010-001
- Original release date: June 24th, 2010
- Discovered by: Jose Carlos de Arriba (dade (at) painsec (dot) com)
- Severity: 10/10 (Base CVSS Score)
============================================================

I. VULNERABILITY
-------------------------
ActiveCollab 2.3.0 Local File Inclusion / Directory Traversal (prior
version hasn't been checked so are probably vulnerable).

II. BACKGROUND
-------------------------
ActiveCollab is a non-free project management & collaboration tool
that you can
set up on your own server or local network. Work with your team,
clients and contractors in an easy to use environment, while keeping
full control over your data.

III. DESCRIPTION
-------------------------
ActiveCollab presents a Local File Inclusion / Directory Traversal
vulnerability on its "module" parameter, due to an insufficient
sanitization on user supplied data.

A malicious user could get all the files in the web server, and also
get all a shell in the system, in case of being able to write PHP code
in any file that could be loaded through the "module" parameter
(i.e Apache logs).

IV. PROOF OF CONCEPT
-------------------------
http://www.victim.com/active/index.php?action=DetailView&module=/../....

V. BUSINESS IMPACT
-------------------------
An attacker could get all files in the server or gain complete access.

VI. SYSTEMS AFFECTED
-------------------------
ActiveCollab 2.3.0 (prior version hasn't been checked so are probably
vulnerable).

VII. SOLUTION
-------------------------
Corrected

VIII. REFERENCES
-------------------------
http://www.activecollab.com
http://www.painsec.com
http://www.dadesecurity.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Jose Carlos de Arriba (dade (at) painsec (dot) com).

X. REVISION HISTORY
-------------------------
June    24, 2010: Initial release.

XI. DISCLOSURE TIMELINE
-------------------------
June    9, 2010: Discovered by Jose Carlos de Arriba (Dade).
June   19, 2010: Vendor contacted including PoC. No response.
June   20, 2010: Response from ActiveCollab developer confirming
future fix.
June   24, 2010: Vulnerability fixed on 2.3.1 version release.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ