扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 |
source: https://www.securityfocus.com/bid/37669/info dotProject is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks. The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. dotProject 2.1.3 is vulnerable; other versions may also be affected. == Company === The company creation screen fails to filter form details before creating a new company. Proof of Concept 1.Log into dotProject as a user with privileges to create a new company 2.Click the 'Companies' link in the top navigation bar 3.Click the 'new company' button in the upper right 4.Fill in "<script>alert('xss');</script>" for each field except for phone, phone2, and fax.These fields restrict the input size so simply put "<script>alert('1');</script>" in these fields. 5.Click the 'submit' button in the lower right hand corner 6.On the resulting screen the company name XSS will appear. 7.To view the other company XSS attacks browse to index.php?m=companies&a=view&company_id=X where 'X' is the id of the new company.Alternatively you can click on the 'Projects' link in the top navigation then the 'new project' button in the upper right.Create a new project, selecting the newly created company, which will appear as a blank choice in the company drop down list.Save the project and then in the project list click on the company name. Impact Any user with the permissions to create new companies can expose other users of dotProject to XSS attacks. == Project === The project creation screen fails to filter form details before creating a new project. Proof of Concept 1.Log into dotProject as a user with privileges to create a new project 2.Click the 'Projects' link in the top navigation bar 3.Click the 'new project' button in the upper right 4.Fill in "<script>alert('xss');</script>" for the 'Project Name', 'URL', 'Starting URL', and 'Description' fields 5.Click the 'submit' button in the lower right hand corner 6.On the resulting screen the project name XSS will appear. 7.To view the other project XSS attacks browse to index.php?m=projects&a=view&project_id=X where 'X' is the id of the new project. Impact Any user with the permissions to create new projects can expose other users of dotProject to XSS attacks. == Task === The task creation screen fails to filter form details before creating a new task. Proof of Concept 1.Log into dotProject as a user with privileges to create a task 2.Click the 'Projects' link in the top navigation bar 3.Click on a project name to which the user account has permissions 4.Click the 'new task' button in the upper right 5.Fill in "<script>alert('xss');</script>" for the 'Task Name', 'Web Address', 'Description', and 'Description' fields 6.Click on the 'Dates' tab and select an appropriate date 7.Click the 'save' button in the lower right hand corner 8.On the resulting screen the task name XSS will appear. 9.To view the other task summary XSS attacks browse to index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task. Impact Any user with the permissions to create new tasks can expose other users of dotProject to XSS attacks. == Task Log === The task log creation screen fails to filter form details before creating a new task log. Proof of Concept 1.Log into dotProject as a user with privileges to create a task 2.Click the 'Tasks' link in the top navigation bar 3.Click on a task name to which the user account has permissions 4.Click the 'New Log' tab 5.Fill in "<script>alert('xss');</script>" for the 'Summary', and 'Description' fields, enter ""><script>alert('log url');</script>" for the 'URL' field 6.Click the 'update task' button in the lower right hand corner 7.On the resulting screen the task name XSS will appear. 8.To view the other task log XSS attacks browse to index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task. Impact Any user with the permissions to create new task logs (virtually all dotProject users) can expose other users of dotProject to XSS attacks. == Files === The file attachment screen fails to filter form details before creating a new file attachment. Proof of Concept 1.Log into dotProject as a user with privileges to create a file 2.Click the 'Files' link in the top navigation bar 3.Click on a 'new folder' button in the upper right 4.Fill in "<script>alert('xss');</script>" for the 'Folder Name', and 'Description' fields 5.Click on the 'new file' button in the upper right 6.Observer the 'Folder name' XSS 7.Fill in "<script>alert('xss');</script>" for the 'Description' field and choose a file to upload 8.Click the 'submit' button in the lower right hand corner 9.On the resulting screen the file description XSS will appear. Impact Any user with the permissions to create new files can expose other users of dotProject to XSS attacks. == Events === The events screen fails to filter form details before creating a new events. Proof of Concept 1.Log into dotProject as a user with privileges to create an event 2.Select 'Event' from the '-New Item-' drop down in the upper right or navigate to index.php?m=calendar&a=addedit 3.Fill in "<script>alert('xss');</script>" for the 'Event Title', and 'Description' fields 4.Click on the 'submit' button in the lower right 5.Observe the XSS at the View Event screen index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event. Impact Any user with the permissions to create new events can expose other users of dotProject to XSS attacks. == Contacts === The contacts screen fails to filter form details before creating a new events. Proof of Concept 1.Log into dotProject as a user with privileges to create a new contact 2.Select 'Contact' from the '-New Item-' drop down in the upper right or navigate to index.php?m=contacts&a=addedit 3.Fill in "<script>alert('xss');</script>" for every field 4.Click on the 'submit' button in the lower right 5.Observe the XSS at the View Contact screen index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new contact. Impact Any user with the permissions to create new contacts can expose other users of dotProject to XSS attacks. == Tickets === The Submit Trouble Ticket screen fails to filter form details before creating a new ticket. Proof of Concept 1.Log into dotProject as a user with privileges to create a new ticket 2.Click the 'Tickets' link in the top navigation bar or navigate to index.php?m=ticketsmith&a=post_ticket 3.Fill in "<script>alert(\'xss\');</script>" for the 'E-mail' field 4.Click on the 'submit' button in the lower right 5.Observe the XSS at the View Contact screen index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new contact. Impact Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks. == Forums === The Add Forum screen fails to filter form details before creating a new forum. Proof of Concept 1.Log into dotProject as a user with privileges to create a new forum 2.Click the 'Forums' link in the top navigation bar or navigate to index.php?m=forums&a=post_ticket 3.Fill in "<script>alert(\'xss\');</script>" for the 'Forum Name' and 'Description' fields 4.Click on the 'submit' button in the lower right 5.Observe the XSS at the Forums screen index.php?m=forums Impact Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks. == Forum Topics === The Forum Add Message screen fails to filter form details before creating a new topic. Proof of Concept 1.Log into dotProject as a user with privileges to create a new forum topic 2.Click the 'Forums' link in the top navigation bar or navigate to index.php?m=forums 3.Click on the name of a forum 4.Click on the 'start a new topic' button in the upper right 5.Fill in "<script>alert(\'xss\');</script>" for the 'Subject' and 'Message' fields 4.Click on the 'submit' button in the lower right 5.Observe the XSS at the Forums topics screen or index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id of the topic Impact Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks. SQL Injection Vulnerabilities -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SQL injection vulnerabilities could allow an attacker to expose sensitive data, such as password hashes, alter the database contents to introduce stored XSS vulnerabilities, reset administrative user passwords to allow escalation of privilege and other attacks that could lead to the compromise of data, user account credentials, or even the web server. The following URL's expose PHP functions that are vulnerable to SQL injection: index.php?m=departments&a=addedit&company_id=1' index.php?m=ticketsmith&a=view&ticket=1' index.php?m=files&a=index&tab=4&folder=1' Additionally some forms allow for SQL injection: *The ticket creation form index.php?m=ticketsmith&a=post_ticket does not properly sanitize single quotes in the Name or Email fields |
体验盒子
