Vulners
Lucene search
dotProject 2.1.3 XSS and Improper Permissions
=============================================
dotProject 2.1.3 XSS and Improper Permissions
=============================================
# Exploit Title: dotProject 2.1.3 XSS and Improper Permissions
# Date: Dec 15 2009
# Author: h00die
# Software Link: http://sourceforge.net/projects/dotproject/files/dotproject/dotProject%20Version%202.1.3/dotproject_2_1_3.zip/download
# Version: 2.1.3
# Tested on: BT4 pre-final
#Timeline
#Discovery Date: Dec 9 2009
#Vendor Notification: Jan 5 2010
#Public Disclosure:
#Findings:
1. Admin’s Custom Field page is not properly protected from standard users (Default User, role of Project Worker), which can be used with finding 2.
http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
2. Cross Site Scripting (XSS) via HTML Tag Options field for Custom Fields within all categories (Companies, Projects, Tasks, Calendar)
http://[ip]/dotproject/index.php?m=system&a=custom_field_editor
then ‘Add a new Custom Field to this Module’, use Field Display Type as Label, add <script>alert('xss custom module tag options');</script> for HTML Tag Options. Keep description blank and this field will be invisible when being executed in the victim’s browser
3. Companies is vulnerable to multiple XSS attacks in the following fields:
Company Name, Address1, Address2, URL, and Description via page: http://[ip]/dotproject/index.php?m=companies&a=addedit
4. Projects is vulnerable to multiple XSS attacks, but it is only when viewing that specific project’s details. When listing all projects the script is not executed and the text is all displayed, so this is not very covert.
Project Name, URL, Staging URL, and Description via page http://[ip]/dotproject/index.php?m=projects&a=addedit
5. Tasks is vulnerable to XSS via the Task Name field but no other fields.
http://[ip]/dotproject/index.php?m=tasks
6. Files has multiple XSS issues.
Folder Name is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit_folder
File Description is vulnerable to XSS via http://[ip]/dotproject/index.php?m=files&a=addedit&folder=0
7. Contacts (contact list is safe) is vulnerable to XSS when viewing that contact’s details, similar to #4
Job Title, Title, Address1, Address2, URL, Jabber, MSN, Yahoo, and Contact Notes are all vulnerable via http://[ip]/dotproject/index.php?m=contacts&a=addedit
8. Forums is vulnerable to XSS
Forum Name and Description are vulnerable to XSS via http://[ip]/dotproject/index.php?m=forums&a=addedit
Within a Topic, a Subject and message are both vulnerable to XSS
9. Tickets is vulnerable to XSS attacks in the following field:
E-Mail via http://[IP]/dotproject/index.php?m=ticketsmith&a=post_ticket
# 0day.today [2018-03-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Jan 2010 00:00Current
7.1High risk
Vulners AI Score7.1