- EXPL-A-2005-017 exploitlabs.com Advisory 046 -

                          - devhound -



AFFECTED PRODUCTS
=================
DevHound v2.24 and earlier
http://www.nexusconcepts.com/devhound.html



OVERVIEW
========
Dev Hound is a web based project management system designed
for bug tracking, tracking projects, development teams,
software releases, clients, support calls and knowledge bases.
Featuring its own web server, 2 minute server install, email
notifications, mail merge client emailing, reports, graphs
and a windows XP style easy to use interface Dev Hound makes
life easier for software developers, QA personnel, project
managers and customers.



DETAILS
=======
1. cleartext username and password
DevHound stores username and password information in the file:
C:\[devhound-path]\data\devhound.tdbd

2. persistant XSS
Nearly every user input field is vulnerable to persistant XSS,
that will be viewed and rendered in the context of the users
browser, without the need to click any special link.
In this case XSS may disclose cookie and credential data.
2a. denial of service
Some script input may cause the UI to become totally inoperable
due to the applications failure to properly filter script
content, forced url redirection is also possible.

3. path disclosure
Requesting a non existant file.dll reveals path disclosure



POC
===
1. by viewing the file:
C:\[devhound-path]\data\devhound.tdbd
testuser testpass
2. any scripting tag of the attackers choice
3. http://[devhound-url]\null.dll
"Web Server Exception Occurred:
Unable to load DLL: NULL.DLL (C:\My Projects\webserver\dllStore.pas, line
120)"




SOLUTION:
=========
vendor contact:
Dec 15, 2005 support@nexusconcepts.com
vendor response:
Dec 16, 2005 Beta Patches released v2.25
Dec 17, 2005 Beta Patches released v.2.26
Dec 19, 2005 Final Patches released v.2.26
http://www.nexusconcepts.com/downloads/installdevhound.exe
http://www.nexusconcepts.com/downloads/upgradedevhound.exe



Researcher comment:
------------------
Great vendor response time, and understanding of the issues
involved. Bravo



Credits
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
-- 
web: http://exploitlabs.com
web: http://zone-h.org
http://www.exploitlabs.com/files/advisories/EXPL-A-2005-017-devhound.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/