====================================================================== ProjectPier <= 0.80 Cross Site Scripting and Request Forgery ====================================================================== Author: L4teral Impact: Cross Site Scripting Cross Site Request Forgery Status: patch available ------------------------------ Affected software description: ------------------------------ Application: ProjectPier Version: <= 0.80 Vendor: http://www.projectpier.org Description: ProjectPier is a Free, Open-Source, self-hosted PHP application for managing tasks, projects and teams through an intuitive web interface. ProjectPier will help your organization communicate, collaborate and get things done Its function is similar to commercial groupware/project management products, but allows the freedom and scalability of self-hosting. Even better, it will always be free. -------------- Vulnerability: -------------- 1. The login page is vulnerable to cross site scripting. 2. script code can be embedded into messages. 3. script code can be embedded into milestones. 4. script code can be embedded into a users display name. 5. The application is vulnerable to cross site request forgery. A project e.g. can be deleted with a simple GET request (see PoC). Combined with the XSS vulnerabilies, the code can be embedded into a message - if an admin views it, the browser will send the request to delete a project without being visible to the admin. ------------ PoC/Exploit: ------------ 1. http://localhost/projectpier/index.php?c=access">&a=login"> 2. create a message with 3. create a milestone with 4. set the display name in the profile to 5. --------- Solution: --------- update to version 0.8.0.1 or above. --------- Timeline: --------- 2007-10-24 - vendor informed 2007-10-24 - vendor responded 2008-02-13 - vendor released new version 2008-02-17 - public disclosure