Skip to content

Instantly share code, notes, and snippets.

@gerry

gerry/teampass_notes.md

Created August 23, 2016 06:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save gerry/860117891bbaeb161fdc7f66d08622d0 to your computer and use it in GitHub Desktop.
Save gerry/860117891bbaeb161fdc7f66d08622d0 to your computer and use it in GitHub Desktop.
Download ZIP
Various TeamPass (http://teampass.net/) issues.
Raw
teampass_notes.md

Arbitrary file data write (leading to RCE)

./sources/export.queries.php:471: $outstream = fopen($_POST['file'], "a"); (place php in item description) ./sources/admin.queries.php:1110: $fh = fopen($tmp_skfile, 'w'); (admin required)

SQLi

./sources/views.queries.php:437: ORDER BY ".$_POST['order']." ".$_POST['direction']." (admin required)

No Authz on file download:

./sources/downloadFile.php:47: $fp = fopen($_SESSION['settings']['path_to_upload_folder'].'/'.$result['file'], 'rb');

PHP Code execution (unfortunately function is not called):

./sources/kb.queries.php:62: $value = preg_replace('/%([0-9a-f]{2})/ie', 'chr(hexdec($1))', (string) $value);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment