Jobberbase 2.0 - Multiple Vulnerabilities
2016-09-08 20:05:25Jobberbase: http://www.jobberbase.com/
Version: 2.0
By Ross Marks: http://www.rossmarks.co.uk
1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>
2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there
3) reflect XSS in username - http://example.com/admin/
eg. "><script>alert(1)</script>
reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/
4) persistant XSS on admin backend homepage
create a job and give the URL:
" onhover="alert(1)
persistant XSS - admin add to category name (no protection)
5) unrestricted file upload
upload CV accepts any filetype appends _ uniqueid() to filename
eg. "file.php" becomes "file_<uniqueid>.php"
uniquid in in insecure method for generating random sequences and is based on microtime
if the server is using an older version of PHP a null byte can be used
ie. "test.php%00.php" would be uploaded as "test.php"
6) code execution race condition:
if the admin has chosen to not store uploaded CV's
they are first moved from /tmp to the writable /upload directory before being unlinked
this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted
7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
days_behind parameter is vulnerable
** notes **
admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere
Fixes
No fixesPer poter inviare un fix è necessario essere utenti registrati.