copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2012.0080 - [Win][UNIX/Linux] activeCollab prior to 2.3.10: Execute arbitrary code/commands - Remote/unauthenticated

Date: 29 May 2012

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

     A number of vulnerabilities have been identified in activeCollab
                                29 May 2012


        AusCERT Security Bulletin Summary

Product:              activeCollab prior to 2.3.10
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
                      Reduced Security                -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
Member content until: Thursday, June 28 2012


        A number of vulnerabilities have been identified in activeCollab prior
        to version 2.3.10. [1]


        The vendor has provided the following details regarding these issues:
        "1. Fixed SQL injection issue in project object class
         2. Fixed XSS issues with select users and select projects widgets
         3. Upgrade script steps can't be triggered without logging in as 
            administrator" [1]
        Additionally Stratsec Research has provided the following more
        detailed description of the vulnerabilities identified by
        Andrew Horton, Steven Seeley and Pedram Hayati:
        "Remote Code Execution and Remote Command Execution
        Remote code execution and remote command execution vulnerabilities 
        allow an attacker to fully compromise the underlying application and 
        potentially the underlying OS.
        SQL Injection
        SQL injection allows for an attacker to manipulate the backend database 
        and steal sensitive information from the database. An SQL injection 
        attack often leads to the complete compromise of the underlying OS.
        Authentication Bypass
        Authentication bypass often allows an attacker to perform trusted 
        actions within the application without supplying valid credentials. 
        This may lead to unauthorised manipulation of the application and its 
        Cross-Site Scripting
        Cross-site scripting vulnerabilities in an application potentially 
        allow an attacker to execute malicious script on other users systems 
        and hence compromise their sessions, authentication credentials, or 
        even conduct other malicious activity.
        XQuery Injection
        XQuery (XPath) is a language for addressing parts of XML document. 
        Similar to SQL, XQuery is used to query XML documents. The input data 
        to XQuery must be sanitised in order to avoid malformed queries and 
        possibly access to the entire XML document.
        Username enumeration
        Username enumeration allows for an external attacker to enumerate 
        valid usernames for the application. This type of vulnerability is 
        generally within login functionality." [2]


        The vendor recommends upgrading to the latest version of activeCollab
        to correct these issues. [1]


        [1] activeCollab 2.3.10

        [2] ActiveCollab Multiple Vulnerabilities (SS-2012-005)

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.