Home / os / winmobile

Collabtive 2.0 Shell Upload

Posted on 29 September 2015

Vulnerability title: Arbitrary File Upload In Collabtive CVE: CVE-2015-0258 Vendor: Collabtive Product: Collabtive Affected version: 2.0 Fixed version: 2.1 Reported by: Arturo Rodriguez Details: It was discovered that authenticated users were able to upload files with extensions: php3, php4, php5 or phtml to the web server. The issue is on the avatar upload functionality. The application checks if the filetype is an image but this can be bypassed using a proxy and changing the type to "image/jpeg" on the file upload request. The application also checks if the extension of the file is php or pl but it doesn't check for .php3 .php4 .php5 or phtml. It is possible to upload a file with one of these extensions and get code execution by going to http://installpath/files/standard/avatar/image_name Even though a random value is appended to the name of the image, it is possible to get the name by seeing the requests the application does when the avatar image is loaded. Impact: An attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.

 

TOP