Menu

Search for hundreds of thousands of exploits

"ActiveCollab 2.3.0 - Local File Inclusion / Directory Traversal"

Author

Exploit author

"Jose Carlos de Arriba"

Platform

Exploit platform

php

Release date

Exploit published date

2010-06-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
============================================================
PAINSEC SECURITY RESEARCH GROUP SECURITY ADVISORY 2010-001
- Original release date: June 24th, 2010
- Discovered by: Jose Carlos de Arriba (dade (at) painsec (dot) com)
- Severity: 10/10 (Base CVSS Score)
============================================================

I. VULNERABILITY
————————-
ActiveCollab 2.3.0 Local File Inclusion / Directory Traversal (prior
version hasnt been checked so are probably vulnerable).

II. BACKGROUND
————————-
ActiveCollab is a non-free project management & collaboration tool
that you can
set up on your own server or local network. Work with your team,
clients and contractors in an easy to use environment, while keeping
full control over your data.

III. DESCRIPTION
————————-
ActiveCollab presents a Local File Inclusion / Directory Traversal
vulnerability on its module parameter, due to an insufficient
sanitization on user supplied data.

A malicious user could get all the files in the web server, and also
get all a shell in the system, in case of being able to write PHP code
in any file that could be loaded through the module parameter
(i.e Apache logs).

IV. PROOF OF CONCEPT
————————-
http://www.victim.com/active/index.php?action=DetailView&module=/../../../../../../../etc/passwd%00<http://www.victim.com/active/index.php?action=DetailView&module=/../..>

V. BUSINESS IMPACT
————————-
An attacker could get all files in the server or gain complete access.

VI. SYSTEMS AFFECTED
————————-
ActiveCollab 2.3.0 (prior version hasnt been checked so are probably
vulnerable).

VII. SOLUTION
————————-
Corrected

VIII. REFERENCES
————————-
http://www.activecollab.com
http://www.painsec.com
http://www.dadesecurity.com

IX. CREDITS
————————-
This vulnerability has been discovered
by Jose Carlos de Arriba (dade (at) painsec (dot) com).

X. REVISION HISTORY
————————-
June 24, 2010: Initial release.

XI. DISCLOSURE TIMELINE
————————-
June 9, 2010: Discovered by Jose Carlos de Arriba (Dade).
June 19, 2010: Vendor contacted including PoC. No response.
June 20, 2010: Response from ActiveCollab developer confirming
future fix.
June 24, 2010: Vulnerability fixed on 2.3.1 version release.

XII. LEGAL NOTICES
————————-
The information contained within this advisory is supplied as-is
with no warranties or guarantees of fitness of use or otherwise.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2012-08-17 "LISTSERV 16 - 'SHOWTPL' Cross-Site Scripting" webapps cgi "Jose Carlos de Arriba"
2011-11-15 "Authenex A-Key/ASAS Web Management Control 3.1.0.2 - Blind SQL Injection" webapps multiple "Jose Carlos de Arriba"
2011-11-11 "Infoblox NetMRI 6.2.1 - Admin Login Page Multiple Cross-Site Scripting Vulnerabilities" webapps java "Jose Carlos de Arriba"
2011-11-10 "Joomla! Component com_alfcontact 1.9.3 - Multiple Cross-Site Scripting Vulnerabilities" webapps php "Jose Carlos de Arriba"
2010-06-24 "ActiveCollab 2.3.0 - Local File Inclusion / Directory Traversal" webapps php "Jose Carlos de Arriba" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected