Home page logo

bugtraq logo Bugtraq mailing list archives

Multiple Vulnerabilities in phpScheduleIt
From: Joxean Koret <joxeankoret () yahoo es>
Date: 31 Aug 2004 19:53:01 -0000

              Multiple Vulnerabilities in phpScheduleIt 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
Affected software description: 
phpScheduleIt 1.0.0 RC1 
phpScheduleIt is a web application that attempts 
to solve the problem of  
scheduling and managing resource utilization. It 
provides a permissions-based  
calendar that allows users to self-register and 
reserve resources and the  
tools to manage those reservations. 
Some typical applications are conference room, 
equipment, or work shift scheduling. 
Web : http://www.php.brickhost.com/ 
A. Multiple Cross Site Scripting Vulnerabilities 
A1. When you register a new user the fields 
"Name" and "Last Name" (at least) 
allows potentially dangerous HTML (and also 
any Client-side scripting language). 
If do you want to try it follow these steps : 
       1.- Go to http://<site-with-phpScheduleIt> 
       2.- Click on "Click Here to Register" 
       3.- Enter the required fields and in the name 
and/or last name insert the 
           following data : 
       4.- Click on register. The system doesn't 
check if the e-mail is valid and/or 
           if this is a robot! You are logged in!!! 
       5.- You will see your cookie in a box. 
Exploitation of this issue could allow for theft of 
cookie-based authentication  
credentials. Other attacks are also possible. 
A2. When you create a new Schedule you can 
insert potentially dangerous HTML or Client 
side script in the Schedule Name field. 
Exploitation of this issue could allow for theft of 
cookie-based authentication credentials. 
Other attacks are also possible. 
B. Privilege Excalation Vulnerabilities 
B1. Privilege excalation (Administrator 
privileges) of a normal user. 
The best way to test it is by follow these steps : 
       1.- Goto http://<site-with-phpScheduleIt> 
       2.- Logging as administrator. 
       3.- Now, insert in the browser the following 
location http://<site-with-phpScheduleIt> or 
           just click on the Back button in your 
       4.- Logging as a normal user. 
       5.- The user is a normal user with the Admin 
user privileges. 
This doesn't work if the Administrator does click 
on "Logout". 
NOTE: This requires that the user be on the 
same machine and browser as the  
administrator and is really more of a physical 
security issue than a  
programatic risk. 
The fix: 
The security issues have been fixed and will be 
included in the codebase  
starting with version 1.0.0.  
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations 
provided in any part of this 
        Joxean Koret at 

  By Date           By Thread  

Current thread:
  • Multiple Vulnerabilities in phpScheduleIt Joxean Koret (Aug 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]