celoxis-xss.txt

`==Background==  
>From Celoxis.com:  
> Celoxis is a comprehensive web based project management   
> tool to improve collaboration and streamline management   
> of projects, time sheets, expenses and even business   
> processes specific to your organization  
  
==Problem==  
The Celoxis project management software contains several pages that   
accept parameters in their URLs and display the contents of those   
parameters as page content. Many of these parameters may contain   
HTML tags, including the <script> tag, and in most cases their   
content is not sanitized in any way. These parameters are used   
internally by the software to display messages to the end user.   
Most of these pages are only accessible with a paid or trial   
subscription.  
  
==Proof of Concept==  
The following POC may be accessed without a subscription:  
  
http://asp1.celoxis.com/psa/user.do?bxn=umyhome&ni.smessage=XSS+goes  
+here+%3cscript%3ealert('XSS')%3c/script%3e  
  
==Potential Impact==  
This vulnerability can be used to manipulate arbitrary objects   
within the application without user authorization. Objects include   
projects, tasks, users, etc. It appears to be possible to exploit   
this vulnerability to cause users to delete their own projects.   
  
==Timeline==  
2008-09-18: Initial vendor notification  
2008-09-18: Initial vendor response; vendor disputed threat  
2008-09-18: Vendor contacted  
2008-09-23: Vendor contacted; given one week notice  
2008-09-30: Public disclosure  
  
--  
Let the sun shine in! Click now for a beautiful new sunroom!  
http://tagline.hushmail.com/fc/Ioyw6h4ddBukZA12WnUtC0wHdj0NEgJwVbWX9HJQli2MViAetL6kKc/  
  
`