Document Title: =============== Teampass 2.1.26 - Authenticated File Upload Vulnerability References (Source): ==================== http://ift.tt/29kZBa3 Release Date: ============= 2016-07-06 Vulnerability Laboratory ID (VL-ID): ==================================== 1866 Common Vulnerability Scoring System: ==================================== 7.2 Product & Service Introduction: =============================== TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role. (Copy of the Homepage: http://teampass.net/ ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a file upload vulnerability in the official Teampass v2.1.26 web-application. Vulnerability Disclosure Timeline: ================================== 2016-07-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A file upload vulnerability has been discovered in the official Teampass v2.1.26 web-application. The vulnerability allows authenticated users with low privileged accounts to upload files to the /files directory in the webroot. There are no filters present which checks the file extensions or contents for the files. Proof of Concept (PoC): ======================= Any authenticated user can upload files to the /files directory in the webroot, even low privileged users with only read-only rights can exploit this vulnerability. Files can be uploaded by visiting http://localhost/TeamPass/sources/upload/upload.files.php?PHPSESSID=x&name=poc.php and content can be inserted with a POST request.
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment