dotProject 2.1.3 - Cross-Site Scripting / Improper Permissions

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1059126 漏洞类型
发布时间 2010-01-30 更新时间 2010-01-30
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/11298
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
# Exploit Title: dotProject 2.1.3 XSS and Improper Permissions
# Date: Dec 15 2009
# Author: h00die (mcyr2@csc.com) & S0lus
# Software Link: http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.3/dotproject_2_1_3.zip/download
# Version: 2.1.3
# Tested on: BT4 pre-final
# Greetz to muts and loganWHD
# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily

#Timeline
#Discovery Date: Dec 9 2009
#Vendor Notification: Jan 5 2010
#Public Disclosure:

#Findings:
1. Admin’s Custom Field page is not properly protected from standard users (Default User, role of Project Worker), which can be used with finding 2.
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
2. Cross Site Scripting (XSS) via HTML Tag Options field for Custom Fields within all categories (Companies, Projects, Tasks, Calendar)
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
	then ‘Add a new Custom Field to this Module’, use Field Display Type as Label, add <script>alert('xss custom module tag options');</script> for HTML Tag Options.  Keep description blank and this field will be invisible when being executed in the victim’s browser
3. Companies is vulnerable to multiple XSS attacks in the following fields:
	Company Name, Address1, Address2, URL, and Description via page: http://[ip]/dotproject/index.php?m=companies&a=addedit
4. Projects is vulnerable to multiple XSS attacks, but it is only when viewing that specific project’s details.  When listing all projects the script is not executed and the text is all displayed, so this is not very covert.
	Project Name, URL, Staging URL, and Description via page http://[ip]/dotproject/index.php?m=projects&a=addedit
5. Tasks is vulnerable to XSS via the Task Name field but no other fields.
	http://[ip]/dotproject/index.php?m=tasks
6. Files has multiple XSS issues.
	Folder Name is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit_folder
	File Description is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit&folder=0
7. Contacts (contact list is safe) is vulnerable to XSS when viewing that contact’s details, similar to #4
	Job Title, Title, Address1, Address2, URL, Jabber, MSN, Yahoo, and Contact Notes are all vulnerable via http://[ip]/dotproject/index.php?m=contacts&a=addedit
8. Forums is vulnerable to XSS
	Forum Name and Description are vulnerable to XSS via http://[ip]/dotproject/index.php?m=forums&a=addedit
	Within a Topic, a Subject and message are both vulnerable to XSS
9. Tickets is vulnerable to XSS attacks in the following field:
	E-Mail via http://[IP]/dotproject/index.php?m=ticketsmith&a=post_ticket