File Upload Vulnerability CVE-2020–25733
File Listing Directory CVE-2020–25734
Multiple XSS CVE-2020–25735
https://sourceforge.net/projects/webtareas/
https://sourceforge.net/projects/webtareas/files/2.1/webTareas-v2.1.zip/download
File Listing Directory
/webtareas/files/Default/
Hold on, it that really an issue ?
Yup it’s, UN-Authenticated User can see what items have uploaded by Authenticated Users.✔️
Further Damage?
You will see in File Upload Vulnerability✔️
File Upload Vulnerability + File Listing Directory === Remote Shell
*File Upload For Authenticated Users*
Let upload .php file
Fail and why ?
I’ve tried uploaded php7,6,5 and so on, upload successfully.
BUT, somehow it’s NOT EXECUTING the php code. Let try other method,
assume it’s a hosting on Window Operating System. In other words “.exe”
We create a payload using MSFVenom
Back to the File Listing Page Vulnerability
Now, we noticed that the filename is renamed from “Applebois.exe” to “Applebois — 2.v.1.0.exe” after we uploaded.
Now, we’ve to upload another file (.shtml) to trigger the Payload
Upload it and back to the File Listing Directory
Start our listener on Attacker Machine
Trigger the payload …………………… Bomb 💣 ✔️
XSS
Payload = <script>alert(‘AppleBois’);</script>
Vulnerable page :/webtareas/clients/editclient.php
Vulnerable Input Tab : Name , City, Country, Phone, FaxVulnerable page :/webtareas/extensions/addextension.php?
Vulnerable Input Tab: Title
Trigger Page:/Tareas/webtareas/extensions/viewextension.php?id=1&borne1=0Vulnerable page :/webtareas/administration/add_announcement.php?Vulnerable Input Tab: Subject
Trigger Page: /webtareas/general/newnotifications.phpVulnerable page :/webtareas/administration/departments.php?mode=add Vulnerable Input Tab:Name printed
Trigger Page:/webtareas/administration/departments.phpVulnerable page :/webtareas/administration/locations.php?mode=add Vulnerable Input Tab: Name printed
Trigger Page:/webtareas/administration/locations.php?mode=list&msg=add#locAnchorVulnerable page :/webtareas/expenses/claim_type.php?mode=add#eExAnchor
Vulnerable Input Tab: Name printed
Trigger Page: /webtareas/expenses/editexpense.php?recurring=&project=0Vulnerable page :/webtareas/projects/editproject.php
Vulnerable Input Tab : Name
Trigger Page: /webtareas/projects/viewproject.php?id={depend on the id of project}&msg=add#epDAnchorVulnerable page :/webtareas/general/newnotifications.php
*Trigger when <script>alert(‘AppleBois’);</script> is found on Recent Visited Pages*









