Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24544
HistoryAug 17, 2010 - 12:00 a.m.

ACollab Multiple Vulnerabilities

2010-08-1700:00:00
vulners.com
30
JSON

##########################www.BugReport.ir########################################

AmnPardaz Security Research Team

Title: ACollab Multiple Vulnerabilities

Vendor: http://www.atutor.ca/acollab

Vulnerable Version: 1.2 (Latest version till now)

Exploitation: Remote with browser

Fix: N/A

###################################################################################

####################

  • Description:
    ####################

ACollab as described by its vendor is an accessible, open source,
multi-group, Web-based collaborative
work environment. ACollab is available as a standalone collaborative
work environment that will run on
its own. ACollab is ideal for groups working at a distance developing
documentation, collaborating on
research, or writing joint papers.

####################

  • Vulnerability:
    ####################

±-> SQL Injection
All of the parameters are sanitized correctly before being used in
SQL queries else of
the POST parameters 'login' and 'password' in the "sign_in.php" page.
These parameters
can be used for injecting arbitrary SQL queries; the 'login'
parameter is single quoted
and the 'password' parameter is single parenthesized, single quoted.

±-> Authentication Bypass
The ACollab CMS uses two mechanism for authentication. One for master
admin user which is
based on a hard coded username/password initialized in the
installation process. And a DB-based
authentication for all other users, including the group
administrators which can add/remove/edit
all posts and news and … from forums and first screen of the
website. The second authentication
mechanism can be bypassed.

####################

  • Exploits/PoCs:
    ####################

±-> Exploiting The (MySQL) SQL Injection Vulnerability:
Go to the sign in page at "victim.net/ACollab/sign_in.php" and use
the following vectors for injecting
your desired SQL query, namely $Q:
- In the Username field (login POST parameter): ' or $Q or ''='
- In the Password field (password POST parameter): ') or $Q or (''='

±-> Exploiting The Authentication Bypass Vulnerability:
You can login as anyone of the registered users of ACollab CMS by
providing following vector
as username and nothing as password:
'or''='' limit 1 offset 0 – '
Above vector will log you as the first user according to its member
id order. You can login as other
users, searching for a group administrator account, by following vectors:
'or''='' limit 1 offset 0 – '
'or''='' limit 1 offset 1 – '
'or''='' limit 1 offset 2 – '

####################

  • Solution:
    ####################

Add the following command
$_POST['login'] = addslashes ($_POST['login']);
$_POST['password'] = addslashes ($_POST['password']);
at the line 46 of 'sign_in.php' file.

####################

  • Original Advisory:
    ####################

http://www.bugreport.ir/index_72.htm

####################

JSON