Collabtive 0.4.8 Multiple Vulnerabilities Name Multiple Vulnerabilities in Collabtive Systems Affected Collabtive 0.4.8 and possibly earlier versions Severity High Impact (CVSSv2) High 8/10, vector: (AV:N/AC:L/Au:S/C:P/I:C/A:P) Vendor http://collabtive.o-dyn.de/ Advisory http://www.ush.it/team/ush/hack-collabtive048/adv.txt Authors Antonio "s4tan" Parata (s4tan AT ush DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Giovanni "evilaliv3" Pellerano (evilaliv3 AT digitalbullets DOT org) Date 20080925 I. BACKGROUND From the Collabtive web site: "Collabtive is collaborative software to get your projects done!". II. DESCRIPTION Multiple vulnerabilities exist in Collabtive software. III. ANALYSIS Summary: A) Stored Cross Site Scripting B) Forceful browsing authentication bypass C) Arbitrary file upload A) Stored Cross Site Scripting A stored XSS vulnerability exists in the "/admin.php?action=projects" section. Once the attacker specifies an XSS attack vector, like "", as the "Name" property of a project then an XSS vulnerability occurs because the projects "Name" fields are stored and printed without any filtering. While the cited section poses limits on the "Name" field when reflecting the XSS payload, clicking on the edit link "/manageproject.php?action=editform&id=" results in a page without limitations on the characters showed thus allowing complete exploitation. This vulnerability requires administrator authentication. CSRF+XSS and timing (JS) can be used to successfully exploit this vulnerability in an automated manner. B) Forceful browsing authentication bypass An authentication bypass vulnerability exists in "/admin.php?action=users&mode=added". Directly pointing to that URL shows an error, however at the bottom of the page there is a web form that permits to create new users with full privileges. With this vulnerability an attacker without any valid credentials can create a new valid administrator. Since this vulnerability has been discovered the exploitation prerequisites changed as detailed below: - A bug fix in the latest version 0.4.8 now requires "globals on" in order to exploit this vulnerability. - In version 0.4.6 instead the vulnerability is exploitable regardless the "globals" settings. C) Arbitrary file upload It's possible to upload arbitrary files with arbitrary extensions. An attacker that has not already gained Administration privileges using the previously exposed vulnerabilities must be assigned to at least one project. To upload a file go to "/managefile.php?action=showproject&id=" and add a new file. If a file with .php extension is uploaded then the mimetype will be "php/plain" and the program will change the extension to .txt in order to prevent exploitation. This security control can be bypassed changing the mimetype to text/plain, in this way the application will believe that a normal .txt file was uploaded and the extension will not be changed. The uploaded file resides in "/files//_$seed.php". An authenticated attacker will simply see the seed (and the complete filename) using the web interface and can directly execute it. In case of unauthenticated attackers the filename must be guessed. Luckily the make_seed() routine leaks real random proprieties and is only based on the time. $seed can be easily bruteforced using values that are likely to match the return derived by the microtime() of the upload. private function make_seed() { list($usec, $sec) = explode(' ', microtime()); $value = (float) $sec + ((float) $usec * 100000); return $value; } As easily understandable $seed can be guessed in really few tries. The same vulnerability exists when attaching a file in the "Messages" section. This vulnerability can also be exploited via CSRF. IV. DETECTION Collabtive 0.4.8 and possibly earlier versions are vulnerable. V. WORKAROUND Proper input validation will fix the vulnerabilities. VI. VENDOR RESPONSE No fix available. VII. CVE INFORMATION No CVE at this time. VIII. DISCLOSURE TIMELINE 20080926 Initial vendor contact (No Response) 20081003 Second vendor contact (No Response) 20081010 Third vendor contact 20081010 Vendor response (Fix promised for the end of October) 20081010 Vendor contact to sync disclosure time (No response) 20081110 Advisory released (Fix not available) IX. CREDIT Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni "evilaliv3" Pellerano are credited with the discovery of this vulnerability. Antonio "s4tan" Parata web site: http://www.ictsc.it/ mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it Giovanni "evilaliv3" Pellerano mail: evilaliv3 AT digitalbullets DOT org X. LEGAL NOTICES Copyright (c) 2008 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.