Menu

#40 WebTareas [2.1] vulnearble

2.0
closed
Bugs? (2)
2020-09-03
2020-06-20
AppleBois
No

Multiple Stored XSS
Payload = <script>alert('AppleBois');</script>
/webtareas/clients/editclient.php || Name , City, Country, Phone, Fax
/webtareas/extensions/addextension.php? || Title || Trigger : /Tareas/webtareas/extensions/viewextension.php?id=1&borne1=0
/webtareas/administration/add_announcement.php? || Subject || Trigger: /webtareas/general/newnotifications.php
/webtareas/administration/departments.php?mode=add || Name printed || Trigger: /webtareas/administration/departments.php
/webtareas/administration/locations.php?mode=add || Name printed ||Trigger: /webtareas/administration/locations.php?mode=list&msg=add#locAnchor
/webtareas/expenses/claim_type.php?mode=add#eExAnchor || Name printed || Trigger: /webtareas/expenses/editexpense.php?recurring=&project=0
/webtareas/projects/editproject.php || Name || /webtareas/projects/viewproject.php?id={depend on the id of project}&msg=add#epDAnchor

/webtareas/general/newnotifications.php || Will Trigger if <script>alert('AppleBois');</script> display on Recent Visited Pages


Directory Listing || Uploaded content disclosed
/webtareas/files/Default/

File Upload to Remote Shell Execution --> https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a

Discussion

  • AppleBois

    AppleBois - 2020-06-20
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -12,4 +12,4 @@
    
     ---------------------------------------------------------------------------------------------------------------------------------------------------------
     Directory Listing || Uploaded content disclosed
    -/webtareas/files/Default//webtareas/files/Default/
    +/webtareas/files/Default/
    
     
  • AppleBois

    AppleBois - 2020-06-21
    • summary: Vuln --> WebTareas [2.1] vulnearble
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -13,3 +13,5 @@
     ---------------------------------------------------------------------------------------------------------------------------------------------------------
     Directory Listing || Uploaded content disclosed
     /webtareas/files/Default/
    +
    +File Upload to Remote Shell Execution --&gt; https://medium.com/@tehwinsam/webtareas-2-1-c8b406c68c2a 
    
     
  • AppleBois

    AppleBois - 2020-06-21
    • Milestone: 1.12 --> 2.0
     
  • Luis, Wang

    Luis, Wang - 2020-06-24
    • assigned_to: Luis, Wang
     
  • Luis, Wang

    Luis, Wang - 2020-06-24

    patch released : webTareas v2.1 p1

     
    • AppleBois

      AppleBois - 2020-06-24

      Problem not solved.
      [Uploaded File Disclosure]
      Unauthenticated User can view content of /webtareas/files/Default/

      [File Upload to execute Calculator.exe]
      Client allowed to upload malicious .shtml extension
      Which can pop a calculator or cmd.exe and more include PowerShell.exe

      After uploaded, unauthenticated can browse the "URL" as i mentioned
      http://IP/webtareas/files/Default/a--4.v1.0.shtml to pop a calculator.

      [Suggestion to fix]
      Verify SESSION before viewing --> /webtareas/files/Default/
      want to upload anyfiles no problem, as long as /webtareas/files/Default/ not execute serverside's script, meaning the files that we're clicking will be downloaded and not executed.
      Another Solution might be easy to fix, the uploaded content can store out of the web root directory

      If you want Mandarin version(华语) i can translate.

       

      Last edit: AppleBois 2020-06-24
  • AppleBois

    AppleBois - 2020-06-24
    • private: Yes --> No
     
  • Luis, Wang

    Luis, Wang - 2020-09-03
    • status: open --> closed
     
  • Luis, Wang

    Luis, Wang - 2020-09-03

    webTareas v2.1 p3 released

     

Log in to post a comment.