--------------------------------------------------------------------------- Multiple Vulnerabilities in phpScheduleIt --------------------------------------------------------------------------- Author: Joxean Koret Date: 2004 Location: Basque Country --------------------------------------------------------------------------- Affected software description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ phpScheduleIt 1.0.0 RC1 phpScheduleIt is a web application that attempts to solve the problem of scheduling and managing resource utilization. It provides a permissions-based calendar that allows users to self-register and reserve resources and the tools to manage those reservations. Some typical applications are conference room, equipment, or work shift scheduling. Web : http://www.php.brickhost.com/ --------------------------------------------------------------------------- Vulnerabilities: ~~~~~~~~~~~~~~~~ A. Multiple Cross Site Scripting Vulnerabilities A1. When you register a new user the fields "Name" and "Last Name" (at least) allows potentially dangerous HTML (and also any Client-side scripting language). If do you want to try it follow these steps : 1.- Go to http:// 2.- Click on "Click Here to Register" 3.- Enter the required fields and in the name and/or last name insert the following data : a<script>alert(document.cookie)</script> 4.- Click on register. The system doesn't check if the e-mail is valid and/or if this is a robot! You are logged in!!! 5.- You will see your cookie in a box. Exploitation of this issue could allow for theft of cookie-based authentication credentials. Other attacks are also possible. A2. When you create a new Schedule you can insert potentially dangerous HTML or Client side script in the Schedule Name field. Exploitation of this issue could allow for theft of cookie-based authentication credentials. Other attacks are also possible. B. Privilege Excalation Vulnerabilities B1. Privilege excalation (Administrator privileges) of a normal user. The best way to test it is by follow these steps : 1.- Goto http:// 2.- Logging as administrator. 3.- Now, insert in the browser the following location http:// or just click on the Back button in your browser. 4.- Logging as a normal user. 5.- The user is a normal user with the Admin user privileges. This doesn't work if the Administrator does click on "Logout". NOTE: This requires that the user be on the same machine and browser as the administrator and is really more of a physical security issue than a programatic risk. The fix: ~~~~~~~~ The security issues have been fixed and will be included in the codebase starting with version 1.0.0. Disclaimer: ~~~~~~~~~~~ The information in this advisory and any of its demonstrations is provided "as is" without any warranty of any kind. I am not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory. --------------------------------------------------------------------------- Contact: ~~~~~~~~ Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<>>>>es