dotProject 2.1.3 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
The full text of this advisory can also be found at  
http://www.madirish.net/?article=444  
  
Description of Vulnerability:  
- -----------------------------  
dotProject (http://www.dotproject.net/) is a robust open source project  
management tool written in PHP and MySQL. dotProject contains numerous  
serious cross site scripting (XSS) and SQL injection vulnerabilities.  
  
Systems affected:  
- -----------------  
dotProject 2.1.3 was tested and shown to be vulnerable  
  
Mitigating factors  
- ------------------  
None of the vulnerabilities described below can be exploited by  
unauthenticated users. An attacker must have credentials to access the  
site in order to perform the proof of concept attacks detailed below.  
  
Cross Site Scripting Vulnerabilities  
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
The persistent cross site scripting attacks described below could expose  
users to credential theft, browser based attacks (such as remote  
iframe), invisible redirects (phishing), or other client side vectors.  
  
== Company ===  
The company creation screen fails to filter form details before creating  
a new company.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new company  
2. Click the 'Companies' link in the top navigation bar  
3. Click the 'new company' button in the upper right  
4. Fill in "<script>alert('xss');</script>" for each field except for  
phone, phone2, and fax. These fields restrict the input size so simply  
put "<script>alert('1');</script>" in these fields.  
5. Click the 'submit' button in the lower right hand corner  
6. On the resulting screen the company name XSS will appear.  
7. To view the other company XSS attacks browse to  
index.php?m=companies&a=view&company_id=X where 'X' is the id of the new  
company. Alternatively you can click on the 'Projects' link in the top  
navigation then the 'new project' button in the upper right. Create a  
new project, selecting the newly created company, which will appear as a  
blank choice in the company drop down list. Save the project and then  
in the project list click on the company name.  
  
Impact  
Any user with the permissions to create new companies can expose other  
users of dotProject to XSS attacks.  
  
== Project ===  
The project creation screen fails to filter form details before creating  
a new project.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new project  
2. Click the 'Projects' link in the top navigation bar  
3. Click the 'new project' button in the upper right  
4. Fill in "<script>alert('xss');</script>" for the 'Project Name',  
'URL', 'Starting URL', and 'Description' fields  
5. Click the 'submit' button in the lower right hand corner  
6. On the resulting screen the project name XSS will appear.  
7. To view the other project XSS attacks browse to  
index.php?m=projects&a=view&project_id=X where 'X' is the id of the new  
project.  
  
Impact  
Any user with the permissions to create new projects can expose other  
users of dotProject to XSS attacks.  
  
== Task ===  
The task creation screen fails to filter form details before creating a  
new task.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a task  
2. Click the 'Projects' link in the top navigation bar  
3. Click on a project name to which the user account has permissions  
4. Click the 'new task' button in the upper right  
5. Fill in "<script>alert('xss');</script>" for the 'Task Name', 'Web  
Address', 'Description', and 'Description' fields  
6. Click on the 'Dates' tab and select an appropriate date  
7. Click the 'save' button in the lower right hand corner  
8. On the resulting screen the task name XSS will appear.  
9. To view the other task summary XSS attacks browse to  
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task.  
  
Impact  
Any user with the permissions to create new tasks can expose other users  
of dotProject to XSS attacks.  
  
== Task Log ===  
The task log creation screen fails to filter form details before  
creating a new task log.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a task  
2. Click the 'Tasks' link in the top navigation bar  
3. Click on a task name to which the user account has permissions  
4. Click the 'New Log' tab  
5. Fill in "<script>alert('xss');</script>" for the 'Summary', and  
'Description' fields, enter ""><script>alert('log url');</script>" for  
the 'URL' field  
6. Click the 'update task' button in the lower right hand corner  
7. On the resulting screen the task name XSS will appear.  
8. To view the other task log XSS attacks browse to  
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task.  
  
Impact  
Any user with the permissions to create new task logs (virtually all  
dotProject users) can expose other users of dotProject to XSS attacks.  
  
== Files ===  
The file attachment screen fails to filter form details before creating  
a new file attachment.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a file  
2. Click the 'Files' link in the top navigation bar  
3. Click on a 'new folder' button in the upper right  
4. Fill in "<script>alert('xss');</script>" for the 'Folder Name', and  
'Description' fields  
5. Click on the 'new file' button in the upper right  
6. Observer the 'Folder name' XSS  
7. Fill in "<script>alert('xss');</script>" for the 'Description' field  
and choose a file to upload  
8. Click the 'submit' button in the lower right hand corner  
9. On the resulting screen the file description XSS will appear.  
  
Impact  
Any user with the permissions to create new files can expose other users  
of dotProject to XSS attacks.  
  
== Events ===  
The events screen fails to filter form details before creating a new events.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create an event  
2. Select 'Event' from the '-New Item-' drop down in the upper right or  
navigate to index.php?m=calendar&a=addedit  
3. Fill in "<script>alert('xss');</script>" for the 'Event Title', and  
'Description' fields  
4. Click on the 'submit' button in the lower right  
5. Observe the XSS at the View Event screen  
index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event.  
  
Impact  
Any user with the permissions to create new events can expose other  
users of dotProject to XSS attacks.  
  
== Contacts ===  
The contacts screen fails to filter form details before creating a new  
events.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new contact  
2. Select 'Contact' from the '-New Item-' drop down in the upper right  
or navigate to index.php?m=contacts&a=addedit  
3. Fill in "<script>alert('xss');</script>" for every field  
4. Click on the 'submit' button in the lower right  
5. Observe the XSS at the View Contact screen  
index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new  
contact.  
  
Impact  
Any user with the permissions to create new contacts can expose other  
users of dotProject to XSS attacks.  
  
== Tickets ===  
The Submit Trouble Ticket screen fails to filter form details before  
creating a new ticket.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new ticket  
2. Click the 'Tickets' link in the top navigation bar or navigate to  
index.php?m=ticketsmith&a=post_ticket  
3. Fill in "<script>alert(\'xss\');</script>" for the 'E-mail' field  
4. Click on the 'submit' button in the lower right  
5. Observe the XSS at the View Contact screen  
index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new  
contact.  
  
Impact  
Any user with the permissions to create new tickets can expose other  
users of dotProject to XSS attacks.  
  
== Forums ===  
The Add Forum screen fails to filter form details before creating a new  
forum.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new forum  
2. Click the 'Forums' link in the top navigation bar or navigate to  
index.php?m=forums&a=post_ticket  
3. Fill in "<script>alert(\'xss\');</script>" for the 'Forum Name' and  
'Description' fields  
4. Click on the 'submit' button in the lower right  
5. Observe the XSS at the Forums screen index.php?m=forums  
  
Impact  
Any user with the permissions to create new tickets can expose other  
users of dotProject to XSS attacks.  
  
== Forum Topics ===  
The Forum Add Message screen fails to filter form details before  
creating a new topic.  
  
Proof of Concept  
1. Log into dotProject as a user with privileges to create a new forum  
topic  
2. Click the 'Forums' link in the top navigation bar or navigate to  
index.php?m=forums  
3. Click on the name of a forum  
4. Click on the 'start a new topic' button in the upper right  
5. Fill in "<script>alert(\'xss\');</script>" for the 'Subject' and  
'Message' fields  
4. Click on the 'submit' button in the lower right  
5. Observe the XSS at the Forums topics screen or  
index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id  
of the topic  
  
Impact  
Any user with the permissions to create new tickets can expose other  
users of dotProject to XSS attacks.  
  
  
  
SQL Injection Vulnerabilities  
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
  
SQL injection vulnerabilities could allow an attacker to expose  
sensitive data, such as password hashes, alter the database contents to  
introduce stored XSS vulnerabilities, reset administrative user  
passwords to allow escalation of privilege and other attacks that could  
lead to the compromise of data, user account credentials, or even the  
web server.  
  
The following URL's expose PHP functions that are vulnerable to SQL  
injection:  
  
  
index.php?m=departments&a=addedit&company_id=1'  
index.php?m=ticketsmith&a=view&ticket=1'  
index.php?m=files&a=index&tab=4&folder=1'  
  
Additionally some forms allow for SQL injection:  
  
* The ticket creation form index.php?m=ticketsmith&a=post_ticket does  
not properly sanitize single quotes in the Name or Email fields  
  
Default Credentials  
- -=-=-=-=-=-=-=-=-=-=-=-  
When dotProject is installed an administrative user named 'admin' is  
created with the default password of 'passwd'.  
  
Impact  
The default credentials are easily guessed and users are not forced to  
change them, leading to the potential for production sites to be  
deployed using these default credentials.  
  
  
Vulnerabilities in Included Libraries  
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-  
The TicketSmith module is generally full of holes, the version (0.6.3)  
included in dotProject being last updated in 2001. Request variables  
are not sanitized in any of the pages and are used for display as well  
as being interpolated in SQL queries without any sanitization.  
  
Final Notes  
- -=-=-=-=-=-  
This report is by no means meant to be exhaustive. Other  
vulnerabilities may exist in the tested version of dotProject.  
Hopefully these vulnerabilities will illuminate areas of code which can  
be updated to fix multiple vulnerability vectors. dotProject already  
contains defensive measures (such as the dPgetCleanParam function in  
includes/main_functions.php) that could possibly be used to quickly  
develop a patch for many of the bespoke vulnerabilities.  
  
Vendor Response  
- ---------------  
These issues have been fixed in the git repository and should be  
resolved in the next release of dotProject.  
  
- --   
Justin C. Klein Keane  
http://www.MadIrish.net  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.10 (GNU/Linux)  
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/  
  
iPwEAQECAAYFAktGOKYACgkQkSlsbLsN1gDvfgcAs8RP/dsdpRuky0eGZx0j26D2  
AFj5c/zEdVCvfXu6D8wb25HLV9vYz3E1BOOe7r8GL6MO/uydRaDtNhQIo1XlOCig  
X6ua3yRVnhBMHmLd8OS2xCeXwJGQZ9gPsYPwYpJteOKEDg2XPoW8kdip7eX53/6G  
8/k9xn2Zox00YlivjczWhLHvO3ec3eIKMzZuiZhRxw3aDGdPaCfn0QipyZQAaP9D  
2JamhY0Y+yuynswhG1M6B+qXV9Q8nFuDsa5OAn0MNXou3eo5UD9X8vT9Zn8Nd3ba  
N85eHVXpIqkXiS+zEV8=  
=RTF2  
-----END PGP SIGNATURE-----  
  
`