ProjectPier 多个跨站脚本漏洞

https://www.exploit-db.com/exploits/31229
https://www.securityfocus.com/bid/80780
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-269

ProjectPier是一款开放源代码的PHP项目管理应用程序。ProjectPier0.8及其早期版本中存在多个跨站脚本漏洞。远程攻击者可以借助(1)一条信息,(2)一个重要事件,或(3)一个剖面图中的一个显示名，或(4)a或(5)对index.php的c参数，注入任意web脚本或HTML。

source: http://www.securityfocus.com/bid/27857/info

ProjectPier is prone to multiple HTML-injection and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

ProjectPier 0.8.0 is vulnerable; prior versions may also be affected.

http://www.example.com/projectpier/index.php?c=access"><script>alert('xss')</script>&a=login"><script>alert(document.cookie)</script>

ProjectPier ProjectPier 0.8

来源:www.projectpier.org
链接:http://www.projectpier.org/node/679
来源:BID
名称:27857
链接:http://www.securityfocus.com/bid/27857
来源:BUGTRAQ
名称:20080217ProjectPier<=0.80CrossSiteScriptingandRequestForgery
链接:http://www.securityfocus.com/archive/1/archive/1/488294/100/200/threaded
来源:SREASON
名称:4734
链接:http://securityreason.com/securityalert/4734
来源:SECUNIA
名称:29016
链接:http://secunia.com/advisories/29016