-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0080
     A number of vulnerabilities have been identified in activeCollab
                                29 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              activeCollab prior to 2.3.10
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Cross-site Scripting            -- Remote with User Interaction
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Unauthorised Access             -- Remote/Unauthenticated      
                      Reduced Security                -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
Member content until: Thursday, June 28 2012

OVERVIEW

        A number of vulnerabilities have been identified in activeCollab prior
        to version 2.3.10. [1]


IMPACT

        The vendor has provided the following details regarding these issues:
        
        "1. Fixed SQL injection issue in project object class
         2. Fixed XSS issues with select users and select projects widgets
         3. Upgrade script steps can't be triggered without logging in as 
            administrator" [1]
        
        Additionally Stratsec Research has provided the following more
        detailed description of the vulnerabilities identified by
        Andrew Horton, Steven Seeley and Pedram Hayati:
        
        "Remote Code Execution and Remote Command Execution
        
        Remote code execution and remote command execution vulnerabilities 
        allow an attacker to fully compromise the underlying application and 
        potentially the underlying OS.
         
        SQL Injection
        
        SQL injection allows for an attacker to manipulate the backend database 
        and steal sensitive information from the database. An SQL injection 
        attack often leads to the complete compromise of the underlying OS.
         
        Authentication Bypass
        
        Authentication bypass often allows an attacker to perform trusted 
        actions within the application without supplying valid credentials. 
        This may lead to unauthorised manipulation of the application and its 
        data.
         
        Cross-Site Scripting
        
        Cross-site scripting vulnerabilities in an application potentially 
        allow an attacker to execute malicious script on other users systems 
        and hence compromise their sessions, authentication credentials, or 
        even conduct other malicious activity.
         
        XQuery Injection
        
        XQuery (XPath) is a language for addressing parts of XML document. 
        Similar to SQL, XQuery is used to query XML documents. The input data 
        to XQuery must be sanitised in order to avoid malformed queries and 
        possibly access to the entire XML document.
         
        Username enumeration
        
        Username enumeration allows for an external attacker to enumerate 
        valid usernames for the application. This type of vulnerability is 
        generally within login functionality." [2]


MITIGATION

        The vendor recommends upgrading to the latest version of activeCollab
        to correct these issues. [1]


REFERENCES

        [1] activeCollab 2.3.10
            http://www.activecollab.com/docs/manuals/admin/release-notes/activecollab-2-3-10

        [2] ActiveCollab Multiple Vulnerabilities (SS-2012-005)
            https://www.stratsec.net/Research/Advisories/ActiveCollab-Multiple-Vulnerabilities-%28SS-2012-005

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT8QnBO4yVqjM2NGpAQLBIQ//f9eEGUFS1bcvjuLtNvO/1f9HdmG34v/h
nQaQtzP3/O2ojZJGBdJdag2ayoJ2hKYWmtTIQuv9dCtPROfoGEka7SECkipj6y80
/bTR1UOtMy/qiIsyDqlU3iADTGQDCZK6LcYOBXBcDLOwoPn3VOdD67gRdnNdkfZq
MNF7XGYGJ9k8Vaw/w38EuYs/RIHeyUjIWArHm0ch/SjfjbH0R+5hoyIQGecfEZwi
G5dguD7u28MLJbc8wmwj+QrCzEO45K1pFlklXbow6nzLP2FLJ5/nF/t5CVsvLm9o
xEHTCt0ZpjdGFbs0XQGB5nWMzk58FSkDRuQMby1ibTX7Z901edTzDWGo7dTUdbhZ
w5qoG5uE/L+bZnkZ6zefURqqUgcBNCq5rWRRHvMNClO5EEKoKPVG+qR4+j4yDna7
3rH9zC6M+GTOGJIaVcLwxfhCvWzqPn0y0Y453zDbFICfd9U1mllHyJzPZ/5J5AjD
Npw0vqDbAwf5kzfP24D3QQwV2QKpF2cQDjxGae56QHIn32fvzz0y2M9VMTCU3foq
4rfX2wqrM59UE8edZF0wK7a0Mnv/epLT2ZEY3t6WgMcO25f2kVLbWsEzHMm7Sp34
KO1d7CFhkthroAphVkGq001B5lL69KQAT1eeaD8F076UEFa3lzvuL3nuUN5XD8mc
gXT4ki2kmTI=
=mODP
-----END PGP SIGNATURE-----