phpBugTracker 1.0.5 Multiple Reflected XSS Vulnerabilities


Vendor: Benjamin Curtis
Product web page: http://phpbt.sourceforge.net/
Affected version: 1.0.5

Summary: phpBugTracker is a web-based bug tracker with functionality
similar to other issue tracking systems, such as Bugzilla. Design
focuses on separating the presentation, application, and database
layers. phpBugTracker is lightweight and easy to install, operate
and administer. Most text can be customized for your application.

Desc: phpBugTracker suffers from multiple cross-site scripting vulns.
The issue is triggered when input passed via the 'form' parameter to
the 'query.php' script is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
'query.php' and 'newaccount.php' are also vulnerable because they fail
to perform filtering when using the REQUEST_URI variable.

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com


Advisory ID: ZSL-2011-4996
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4996.php


07.02.2011


-----

http://127.0.0.1/query.php?op=doquery&form=1>'><script>alert(1)</script>
http://127.0.0.1/query.php/>'><script>alert(1)</script>
http://127.0.0.1/newaccount.php/>"><script>alert(1)</script>