CVE-2012-6554
published 2013-05-23CVE-2012-6554: functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the…
PriorityP351medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
16.70%
96.6th percentile
functions/html_to_text.php in the Chat module before 1.5.2 for activeCollab allows remote authenticated users to execute arbitrary PHP code via the message[message_text] parameter to chat/add_messag, which is not properly handled when executing the preg_replace function with the eval switch.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
| a51dev | activecollab_chat_module | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to index.php containing the parameter 'message[message_text]' combined with 'message[chat_id]' and 'message[posted_to_user_id]', which is the injection endpoint used to deliver the preg_replace /e payload. ↗
- →Detect exploitation attempts by inspecting POST bodies to ActiveCollab's chat endpoint for preg_replace /e modifier abuse — the vulnerable parameter is message[message_text] in chat/add_messag. ↗
- →Presence of the session cookie 'ac_ActiveCollab_sid_eaM4h3LTIZ' in requests to the injection endpoint (index.php) is a strong indicator of active exploitation via the Metasploit module. ↗
- →Reconnaissance phase can be detected by unauthenticated GET requests to 'public/assets/modules/chat/' — the exploit checks for HTTP 200 to confirm the chat module is installed before proceeding. ↗
- →Check for the string 'powered by activeCollab' in HTTP responses to identify vulnerable application instances during attacker reconnaissance. ↗
- ·The vulnerable chat module version is prior to 1.5.2; ActiveCollab core versions 2.3.8 and earlier are affected. Patched installations (chat module >= 1.5.2) are not vulnerable. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Active Collab 'chat module' < 2.3.8 - Remote PHP Code Injection (Metasploit)
exploitdb·2012-05-19
CVE-2012-6554 Active Collab 'chat module' < 2.3.8 - Remote PHP Code Injection (Metasploit)
Active Collab 'chat module' 'Active Collab "chat module" %q{
This module exploits an arbitrary code injection vulnerability in the chat module
that is part of Active Collab by abusing a preg_replace() using the /e modifier and
its replacement string using double quotes. The vulnerable function can be found in
activecollab/application/modules/chat/functions/html_to_text.php.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me ', # vuln discovery & msf module
],
'References' =>
[
['URL', 'http://www.activecollab.com/downloads/category/4/package/62/releases'],
],
'Privileged' => false,
'Payload' =>
{
'Keys' => ['php'],
'Space' => 4000,
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Automatic',{}]],
'DisclosureDate' => 'May 30 2012',
'DefaultTarget' => 0))
Metasploit
Active Collab "chat module" Remote PHP Code Injection Exploit
metasploit
Active Collab "chat module" Remote PHP Code Injection Exploit
Active Collab "chat module" Remote PHP Code Injection Exploit
This module exploits an arbitrary code injection vulnerability in the chat module that is part of Active Collab versions 2.3.8 and earlier by abusing a preg_replace() using the /e modifier and its replacement string using double quotes. The vulnerable function can be found in activecollab/application/modules/chat/functions/html_to_text.php.
No writeups or analysis indexed.
http://osvdb.org/81966http://secunia.com/advisories/49246http://www.activecollab.com/downloads/category/4/package/62/releaseshttp://www.exploit-db.com/exploits/18898http://www.securityfocus.com/bid/53624https://exchange.xforce.ibmcloud.com/vulnerabilities/75741http://osvdb.org/81966http://secunia.com/advisories/49246http://www.activecollab.com/downloads/category/4/package/62/releaseshttp://www.exploit-db.com/exploits/18898http://www.securityfocus.com/bid/53624https://exchange.xforce.ibmcloud.com/vulnerabilities/75741
2013-05-23
Published