An arbitrary file upload vulnerability exists within versions 2.5.1, 2.6, and 2.6.1 (the most current version) of the phpCollab project management system. This vulnerability exists due to a lack of (or ineffective implementation of) file type filtering when uploading a client logo. The v2.5.1 upload script makes no attempt to filter or otherwise sanitize the uploaded file, allowing arbitrary files to be uploaded and subsequently executed on the server. The v2.6 and v.2.6.1 releases implement rudimentary functionality which attempts to verify that the uploaded file is an image file, however, these are easily bypassed, and the application remains vulnerable to arbitrary file uploads.
- An unauthenticated remote attacker makes a POST request containing a file upload to update a specified client ID.
- The ‘editclient.php’ script processes the request and accepts the upload without any file type checks or extension filtering, writing it to ‘…/logos_clients/’.
- The attacker is redirected to the ‘viewclients.php’ page to view the updated client data, triggering a second redirect to a login page as the attacker is un-authenticated.
The attacker must be able to send crafted packets to the target system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Update the software to a non-vulnerable version.