Vulmon
Vulnerability title: Arbitrary File Upload In Collabtive
CVE: CVE-2015-0258
Vendor: Collabtive
Product: Collabtive
Affected version: 2.0
Fixed version: 2.1
Reported by: Arturo Rodriguez
Details:
It was discovered that authenticated users were able to upload files with extensions: php3, php4, php5 or phtml to the web server.
The issue is on the avatar upload functionality. The application checks if the filetype is an image but this can be bypassed using a proxy and changing the type to "image/jpeg" on the file upload request. The application also checks if the extension of the file is php or pl but it doesn't check for .php3 .php4 .php5 or phtml. It is possible to upload a file with one of these extensions and get code execution by going to http://installpath/files/standard/avatar/image_name
Even though a random value is appended to the name of the image, it is possible to get the name by seeing the requests the application does when the avatar image is loaded.
Impact:
An attacker could exploit the functionality to upload server scripts which, when requested by a browser, would execute code on the server.
<p>