header-logo
Suggest Exploit
vendor:
dotProject
by:
h00die (mcyr2@csc.com) & S0lus
7,5
CVSS
HIGH
Cross Site Scripting (XSS)
79
CWE
Product Name: dotProject
Affected Version From: 2.1.3
Affected Version To: 2.1.3
Patch Exists: NO
Related CWE: N/A
CPE: dotproject:dotproject
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: BT4 pre-final
2009

dotProject 2.1.3 XSS and Improper Permissions

Admin’s Custom Field page is not properly protected from standard users (Default User, role of Project Worker), which can be used with finding 2. Cross Site Scripting (XSS) via HTML Tag Options field for Custom Fields within all categories (Companies, Projects, Tasks, Calendar). Companies is vulnerable to multiple XSS attacks in the following fields: Company Name, Address1, Address2, URL, and Description. Projects is vulnerable to multiple XSS attacks, but it is only when viewing that specific project’s details. Tasks is vulnerable to XSS via the Task Name field but no other fields. Files has multiple XSS issues. Folder Name is vulnerable to XSS and File Descrption is vulnerable to XSS.

Mitigation:

Ensure that all user input is properly sanitized and validated before being used in the application. Ensure that all user input is properly escaped before being used in the application. Ensure that all user input is properly encoded before being used in the application.
Source

Exploit-DB raw data:

# Exploit Title: dotProject 2.1.3 XSS and Improper Permissions
# Date: Dec 15 2009
# Author: h00die (mcyr2@csc.com) & S0lus
# Software Link: http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.3/dotproject_2_1_3.zip/download
# Version: 2.1.3
# Tested on: BT4 pre-final
# Greetz to muts and loganWHD
# http://www.offensive-security.com/offsec101.php turning script kiddies into ninjas daily

#Timeline
#Discovery Date: Dec 9 2009
#Vendor Notification: Jan 5 2010
#Public Disclosure:

#Findings:
1. Admin’s Custom Field page is not properly protected from standard users (Default User, role of Project Worker), which can be used with finding 2.
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
2. Cross Site Scripting (XSS) via HTML Tag Options field for Custom Fields within all categories (Companies, Projects, Tasks, Calendar)
	http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
	then ‘Add a new Custom Field to this Module’, use Field Display Type as Label, add <script>alert('xss custom module tag options');</script> for HTML Tag Options.  Keep description blank and this field will be invisible when being executed in the victim’s browser
3. Companies is vulnerable to multiple XSS attacks in the following fields:
	Company Name, Address1, Address2, URL, and Description via page: http://[ip]/dotproject/index.php?m=companies&a=addedit
4. Projects is vulnerable to multiple XSS attacks, but it is only when viewing that specific project’s details.  When listing all projects the script is not executed and the text is all displayed, so this is not very covert.
	Project Name, URL, Staging URL, and Description via page http://[ip]/dotproject/index.php?m=projects&a=addedit
5. Tasks is vulnerable to XSS via the Task Name field but no other fields.
	http://[ip]/dotproject/index.php?m=tasks
6. Files has multiple XSS issues.
	Folder Name is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit_folder
	File Description is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit&folder=0
7. Contacts (contact list is safe) is vulnerable to XSS when viewing that contact’s details, similar to #4
	Job Title, Title, Address1, Address2, URL, Jabber, MSN, Yahoo, and Contact Notes are all vulnerable via http://[ip]/dotproject/index.php?m=contacts&a=addedit
8. Forums is vulnerable to XSS
	Forum Name and Description are vulnerable to XSS via http://[ip]/dotproject/index.php?m=forums&a=addedit
	Within a Topic, a Subject and message are both vulnerable to XSS
9. Tickets is vulnerable to XSS attacks in the following field:
	E-Mail via http://[IP]/dotproject/index.php?m=ticketsmith&a=post_ticket

Navigation

Suggest Exploit

Services By CQR