dotProject 2.1.3 - Cross-Site Scripting / Improper Permissions

EDB-ID:

11298

CVE:



Author:

h00die

Type:

webapps


Platform:

PHP

Date:

2010-01-30


# Exploit Title: dotProject 2.1.3 XSS and Improper Permissions
# Date: Dec 15 2009
# Author: h00die (mcyr2@csc.com) & S0lus
# Software Link: http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.3/dotproject_2_1_3.zip/download
# Version: 2.1.3
# Tested on: BT4 pre-final
# Greetz to muts and loganWHD
# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily

#Timeline
#Discovery Date: Dec 9 2009
#Vendor Notification: Jan 5 2010
#Public Disclosure:

#Findings:
1. Admin’s Custom Field page is not properly protected from standard users (Default User, role of Project Worker), which can be used with finding 2.
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
2. Cross Site Scripting (XSS) via HTML Tag Options field for Custom Fields within all categories (Companies, Projects, Tasks, Calendar)
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
	then ‘Add a new Custom Field to this Module’, use Field Display Type as Label, add <script>alert('xss custom module tag options');</script> for HTML Tag Options.  Keep description blank and this field will be invisible when being executed in the victim’s browser
3. Companies is vulnerable to multiple XSS attacks in the following fields:
	Company Name, Address1, Address2, URL, and Description via page: http://[ip]/dotproject/index.php?m=companies&a=addedit
4. Projects is vulnerable to multiple XSS attacks, but it is only when viewing that specific project’s details.  When listing all projects the script is not executed and the text is all displayed, so this is not very covert.
	Project Name, URL, Staging URL, and Description via page http://[ip]/dotproject/index.php?m=projects&a=addedit
5. Tasks is vulnerable to XSS via the Task Name field but no other fields.
	http://[ip]/dotproject/index.php?m=tasks
6. Files has multiple XSS issues.
	Folder Name is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit_folder
	File Description is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit&folder=0
7. Contacts (contact list is safe) is vulnerable to XSS when viewing that contact’s details, similar to #4
	Job Title, Title, Address1, Address2, URL, Jabber, MSN, Yahoo, and Contact Notes are all vulnerable via http://[ip]/dotproject/index.php?m=contacts&a=addedit
8. Forums is vulnerable to XSS
	Forum Name and Description are vulnerable to XSS via http://[ip]/dotproject/index.php?m=forums&a=addedit
	Within a Topic, a Subject and message are both vulnerable to XSS
9. Tickets is vulnerable to XSS attacks in the following field:
	E-Mail via http://[IP]/dotproject/index.php?m=ticketsmith&a=post_ticket