PHPCollab 2.5 Unauthenticated Access

2012.05.24

Credit: team

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Date: 3/5/2012
# Author: team ' and 1=1--
# Software Link: http://www.phpcollab.com/
# Version: 2.5
# Vulnerability was found during the AthCon IT Security Conference CTF
#CTF organizer: echothrust
We identified that the PhpCollab application installed under
http://192.0.0.2/phpcollab/ allows the unauthenticated access of all
authenticated content. Specifically when requesting a URL that requires
authentication, such as:
http://192.0.0.2/phpcollab/clients/listclients.php, the server responds
with a redirect (location header) to '../index.php?session=false', which
displays a session error and the login form. However upon inspecting the
response of the request, we can clearly see that all the application data
is returned. This issue allows us to access a number of PhpCollab pages
without any authentication (it must be noted that some of the
administration pages are not available when exploiting the issue). As an
example by using the following command an attacker can retrieve the phpinfo
of the server:
curl -i http://192.0.0.2/phpcollab/administration/phpinfo.php
phpinfo reveals that the system is:
Linux lamp.acmesec.fake 3.1.0-7.fc16.i686.PAE #1 SMP Tue Nov 1 20:53:45 UTC
2011 i686

References:

http://www.phpcollab.com/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

PHPCollab 2.5 Unauthenticated Access

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.