lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <BAY19-DAV385E37307F035F51CDFCED9310@phx.gbl>
Date: Wed Dec 21 02:23:49 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: devhound - multiple vulnerabilities

- EXPL-A-2005-017 exploitlabs.com Advisory 046 -

                          - devhound -



AFFECTED PRODUCTS
=================
DevHound v2.24 and earlier
http://www.nexusconcepts.com/devhound.html



OVERVIEW
========
Dev Hound is a web based project management system designed
for bug tracking, tracking projects, development teams,
software releases, clients, support calls and knowledge bases.
Featuring its own web server, 2 minute server install, email
notifications, mail merge client emailing, reports, graphs
and a windows XP style easy to use interface Dev Hound makes
life easier for software developers, QA personnel, project
managers and customers.



DETAILS
=======
1. cleartext username and password
DevHound stores username and password information in the file:
C:\[devhound-path]\data\devhound.tdbd

2. persistant XSS
Nearly every user input field is vulnerable to persistant XSS,
that will be viewed and rendered in the context of the users
browser, without the need to click any special link.
In this case XSS may disclose cookie and credential data.
2a. denial of service
Some script input may cause the UI to become totally inoperable
due to the applications failure to properly filter script
content, forced url redirection is also possible.

3. path disclosure
Requesting a non existant file.dll reveals path disclosure



POC
===
1. by viewing the file:
C:\[devhound-path]\data\devhound.tdbd
.testuser .testpass
2. any scripting tag of the attackers choice
3. http://[devhound-url]\null.dll
"Web Server Exception Occurred:
Unable to load DLL: NULL.DLL (C:\My Projects\webserver\dllStore.pas, line
120)"




SOLUTION:
=========
vendor contact:
Dec 15, 2005 support@...usconcepts.com
vendor response:
Dec 16, 2005 Beta Patches released v2.25
Dec 17, 2005 Beta Patches released v.2.26
Dec 19, 2005 Final Patches released v.2.26
http://www.nexusconcepts.com/downloads/installdevhound.exe
http://www.nexusconcepts.com/downloads/upgradedevhound.exe



Researcher comment:
------------------
Great vendor response time, and understanding of the issues
involved. Bravo



Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org
http://www.exploitlabs.com/files/advisories/EXPL-A-2005-017-devhound.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ