Working together with Digital Security Alliance, filling a request to do penetration testing through clients infrastructure, we found privilege escalation vulnerability in “Freelancer Office” by gitbench. The exploit affects all versions above 1.7 (including current release) and can be done in less than 2 minutes, with browser as the only required tool.
Simple Google Dork due to scripts copyright allowed us to find hundreds of vulnerable targets within seconds. All of the targets confirmed that the issue indeed isn’t a false positive. Informing both the author gitbench (via email@example.com – William Mandai) and distributor Envato, CodeCanyon (via their support channel) is without any success since 8th of January. So, in the interests of existing user data safety and for those that are considering usage of Freelancer Office we are publishing the information as we respected Responsible Disclosure from our side far longer than we should have.
The vulnerability is coming from “application/controllers/Installer.php”. Existing code doesn’t do any checking whether the system has been already installed.
The usage and exploit is by simply adding “/installer/?step=4” (https://gitbench.com/demo/installer/?step=4 for example) after the base path of Freelancer Office installation. From there you can create a new administrative account with which you have full access and privileges to everything within the system.
The security fix is by adding “exit();” function to line 46 of “application/controllers/Installer.php” after the application has been successfully installed. The code block should look like this:
public function _check_install()
$host = $db['default']['hostname'];
$username = $db['default']['username'];
$pass = $db['default']['password'];
$db_name = $db['default']['database'];
return $this->_verify_db_config($host, $username, $pass, $db_name);
Although I would seriously consider whether to continue using Freelancer Office (and other tools by gitbench) in future. It’s not about the security issue, everyone can make security errors, but it’s a whole different story when thousands of clients (Freelancer Office users) confidential information is ignored when such things as financial data (invoices), their clients, projects and even access data to the servers are freely available to anyone within 2 minutes.
Information in this article can be only republished by having clear source back to here.