Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

dotProject 2.1.3 Multiple Vulnerabilities
From: "Justin C. Klein Keane" <justin () madirish net>
Date: Thu, 07 Jan 2010 14:40:22 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The full text of this advisory can also be found at
http://www.madirish.net/?article=444

Description of Vulnerability:
- -----------------------------
dotProject (http://www.dotproject.net/) is a robust open source project
management tool written in PHP and MySQL.  dotProject contains numerous
serious cross site scripting (XSS) and SQL injection vulnerabilities.

Systems affected:
- -----------------
dotProject 2.1.3 was tested and shown to be vulnerable

Mitigating factors
- ------------------
None of the vulnerabilities described below can be exploited by
unauthenticated users.  An attacker must have credentials to access the
site in order to perform the proof of concept attacks detailed below.

Cross Site Scripting Vulnerabilities
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The persistent cross site scripting attacks described below could expose
users to credential theft, browser based attacks (such as remote
iframe), invisible redirects (phishing), or other client side vectors.

== Company ===
The company creation screen fails to filter form details before creating
a new company.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new company
2.  Click the 'Companies' link in the top navigation bar
3.  Click the 'new company' button in the upper right
4.  Fill in "<script>alert('xss');</script>" for each field except for
phone, phone2, and fax.  These fields restrict the input size so simply
put "<script>alert('1');</script>" in these fields.
5.  Click the 'submit' button in the lower right hand corner
6.  On the resulting screen the company name XSS will appear.
7.  To view the other company XSS attacks browse to
index.php?m=companies&a=view&company_id=X where 'X' is the id of the new
company.  Alternatively you can click on the 'Projects' link in the top
navigation then the 'new project' button in the upper right.  Create a
new project, selecting the newly created company, which will appear as a
blank choice in the company drop down list.  Save the project and then
in the project list click on the company name.

Impact
Any user with the permissions to create new companies can expose other
users of dotProject to XSS attacks.

== Project ===
The project creation screen fails to filter form details before creating
a new project.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new project
2.  Click the 'Projects' link in the top navigation bar
3.  Click the 'new project' button in the upper right
4.  Fill in "<script>alert('xss');</script>" for the 'Project Name',
'URL', 'Starting URL', and 'Description' fields
5.  Click the 'submit' button in the lower right hand corner
6.  On the resulting screen the project name XSS will appear.
7.  To view the other project XSS attacks browse to
index.php?m=projects&a=view&project_id=X where 'X' is the id of the new
project.

Impact
Any user with the permissions to create new projects can expose other
users of dotProject to XSS attacks.

== Task ===
The task creation screen fails to filter form details before creating a
new task.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a task
2.  Click the 'Projects' link in the top navigation bar
3.  Click on a project name to which the user account has permissions
4.  Click the 'new task' button in the upper right
5.  Fill in "<script>alert('xss');</script>" for the 'Task Name', 'Web
Address', 'Description', and 'Description' fields
6.  Click on the 'Dates' tab and select an appropriate date
7.  Click the 'save' button in the lower right hand corner
8.  On the resulting screen the task name XSS will appear.
9.  To view the other task summary XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task.

Impact
Any user with the permissions to create new tasks can expose other users
of dotProject to XSS attacks.

== Task Log ===
The task log creation screen fails to filter form details before
creating a new task log.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a task
2.  Click the 'Tasks' link in the top navigation bar
3.  Click on a task name to which the user account has permissions
4.  Click the 'New Log' tab
5.  Fill in "<script>alert('xss');</script>" for the 'Summary', and
'Description' fields, enter ""><script>alert('log url');</script>" for
the 'URL' field
6.  Click the 'update task' button in the lower right hand corner
7.  On the resulting screen the task name XSS will appear.
8.  To view the other task log XSS attacks browse to
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task.

Impact
Any user with the permissions to create new task logs (virtually all
dotProject users) can expose other users of dotProject to XSS attacks.

== Files ===
The file attachment screen fails to filter form details before creating
a new file attachment.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a file
2.  Click the 'Files' link in the top navigation bar
3.  Click on a 'new folder' button in the upper right
4.  Fill in "<script>alert('xss');</script>" for the 'Folder Name', and
'Description' fields
5.  Click on the 'new file' button in the upper right
6.  Observer the 'Folder name' XSS
7.  Fill in "<script>alert('xss');</script>" for the 'Description' field
and choose a file to upload
8.  Click the 'submit' button in the lower right hand corner
9.  On the resulting screen the file description XSS will appear.

Impact
Any user with the permissions to create new files can expose other users
of dotProject to XSS attacks.

== Events ===
The events screen fails to filter form details before creating a new events.

Proof of Concept
1.  Log into dotProject as a user with privileges to create an event
2.  Select 'Event' from the '-New Item-' drop down in the upper right or
navigate to index.php?m=calendar&a=addedit
3.  Fill in "<script>alert('xss');</script>" for the 'Event Title', and
'Description' fields
4.  Click on the 'submit' button in the lower right
5.  Observe the XSS at the View Event screen
index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event.

Impact
Any user with the permissions to create new events can expose other
users of dotProject to XSS attacks.

== Contacts ===
The contacts screen fails to filter form details before creating a new
events.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new contact
2.  Select 'Contact' from the '-New Item-' drop down in the upper right
or navigate to index.php?m=contacts&a=addedit
3.  Fill in "<script>alert('xss');</script>" for every field
4.  Click on the 'submit' button in the lower right
5.  Observe the XSS at the View Contact screen
index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new
contact.

Impact
Any user with the permissions to create new contacts can expose other
users of dotProject to XSS attacks.

== Tickets ===
The Submit Trouble Ticket screen fails to filter form details before
creating a new ticket.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new ticket
2.  Click the 'Tickets' link in the top navigation bar or navigate to
index.php?m=ticketsmith&a=post_ticket
3.  Fill in "<script>alert(\'xss\');</script>" for the 'E-mail' field
4.  Click on the 'submit' button in the lower right
5.  Observe the XSS at the View Contact screen
index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new
contact.

Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.

== Forums ===
The Add Forum screen fails to filter form details before creating a new
forum.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new forum
2.  Click the 'Forums' link in the top navigation bar or navigate to
index.php?m=forums&a=post_ticket
3.  Fill in "<script>alert(\'xss\');</script>" for the 'Forum Name' and
'Description' fields
4.  Click on the 'submit' button in the lower right
5.  Observe the XSS at the Forums screen index.php?m=forums

Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.

== Forum Topics ===
The Forum Add Message screen fails to filter form details before
creating a new topic.

Proof of Concept
1.  Log into dotProject as a user with privileges to create a new forum
topic
2.  Click the 'Forums' link in the top navigation bar or navigate to
index.php?m=forums
3.  Click on the name of a forum
4.  Click on the 'start a new topic' button in the upper right
5.  Fill in "<script>alert(\'xss\');</script>" for the 'Subject' and
'Message' fields
4.  Click on the 'submit' button in the lower right
5.  Observe the XSS at the Forums topics screen or
index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id
of the topic

Impact
Any user with the permissions to create new tickets can expose other
users of dotProject to XSS attacks.



SQL Injection Vulnerabilities
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

SQL injection vulnerabilities could allow an attacker to expose
sensitive data, such as password hashes, alter the database contents to
introduce stored XSS vulnerabilities, reset administrative user
passwords to allow escalation of privilege and other attacks that could
lead to the compromise of data, user account credentials, or even the
web server.

The following URL's expose PHP functions that are vulnerable to SQL
injection:


index.php?m=departments&a=addedit&company_id=1'
index.php?m=ticketsmith&a=view&ticket=1'
index.php?m=files&a=index&tab=4&folder=1'

Additionally some forms allow for SQL injection:

*  The ticket creation form index.php?m=ticketsmith&a=post_ticket does
not properly sanitize single quotes in the Name or Email fields

Default Credentials
- -=-=-=-=-=-=-=-=-=-=-=-
When dotProject is installed an administrative user named 'admin' is
created with the default password of 'passwd'.

Impact
The default credentials are easily guessed and users are not forced to
change them, leading to the potential for production sites to be
deployed using these default credentials.


Vulnerabilities in Included Libraries
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The TicketSmith module is generally full of holes, the version (0.6.3)
included in dotProject being last updated in 2001.  Request variables
are not sanitized in any of the pages and are used for display as well
as being interpolated in SQL queries without any sanitization.

Final Notes
- -=-=-=-=-=-
This report is by no means meant to be exhaustive.  Other
vulnerabilities may exist in the tested version of dotProject.
Hopefully these vulnerabilities will illuminate areas of code which can
be updated to fix multiple vulnerability vectors.  dotProject already
contains defensive measures (such as the dPgetCleanParam function in
includes/main_functions.php) that could possibly be used to quickly
develop a patch for many of the bespoke vulnerabilities.

Vendor Response
- ---------------
These issues have been fixed in the git repository and should be
resolved in the next release of dotProject.

- -- 
Justin C. Klein Keane
http://www.MadIrish.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAktGOKYACgkQkSlsbLsN1gDvfgcAs8RP/dsdpRuky0eGZx0j26D2
AFj5c/zEdVCvfXu6D8wb25HLV9vYz3E1BOOe7r8GL6MO/uydRaDtNhQIo1XlOCig
X6ua3yRVnhBMHmLd8OS2xCeXwJGQZ9gPsYPwYpJteOKEDg2XPoW8kdip7eX53/6G
8/k9xn2Zox00YlivjczWhLHvO3ec3eIKMzZuiZhRxw3aDGdPaCfn0QipyZQAaP9D
2JamhY0Y+yuynswhG1M6B+qXV9Q8nFuDsa5OAn0MNXou3eo5UD9X8vT9Zn8Nd3ba
N85eHVXpIqkXiS+zEV8=
=RTF2
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • dotProject 2.1.3 Multiple Vulnerabilities Justin C. Klein Keane (Jan 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault