880bbe402e
14991 changes to exploits/shellcodes HTC Touch - vCard over IP Denial of Service TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities PeerBlock 1.1 - Blue Screen of Death WS10 Data Server - SCADA Overflow (PoC) Symantec Endpoint Protection 12.1.4013 - Service Disabling Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Memcached 1.4.33 - 'Crash' (PoC) Memcached 1.4.33 - 'Add' (PoC) Memcached 1.4.33 - 'sasl' (PoC) Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow man-db 2.4.1 - 'open_cat_stream()' Local uid=man CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation CDRecord's ReadCD - Local Privilege Escalation Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH) FreeBSD - Intel SYSRET Privilege Escalation (Metasploit) CCProxy 6.2 - 'ping' Remote Buffer Overflow Savant Web Server 3.1 - Remote Buffer Overflow (2) Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit) Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit) Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit) Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass) TeamCity < 9.0.2 - Disabled Registration Bypass OpenSSH SCP Client - Write Arbitrary Files Kados R10 GreenBee - Multiple SQL Injection WordPress Core 5.0 - Remote Code Execution phpBB 3.2.3 - Remote Code Execution Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes) Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
235 lines
No EOL
10 KiB
Text
235 lines
No EOL
10 KiB
Text
source: https://www.securityfocus.com/bid/37669/info
|
|
|
|
dotProject is prone to multiple SQL-injection and HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
|
|
|
|
An attacker may leverage the HTML-injection issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is viewed, and launch other attacks.
|
|
|
|
The attacker may exploit the SQL-injection issues to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
|
|
|
|
dotProject 2.1.3 is vulnerable; other versions may also be affected.
|
|
|
|
|
|
== Company ===
|
|
The company creation screen fails to filter form details before creating
|
|
a new company.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new company
|
|
2. Click the 'Companies' link in the top navigation bar
|
|
3. Click the 'new company' button in the upper right
|
|
4. Fill in "<script>alert('xss');</script>" for each field except for
|
|
phone, phone2, and fax. These fields restrict the input size so simply
|
|
put "<script>alert('1');</script>" in these fields.
|
|
5. Click the 'submit' button in the lower right hand corner
|
|
6. On the resulting screen the company name XSS will appear.
|
|
7. To view the other company XSS attacks browse to
|
|
index.php?m=companies&a=view&company_id=X where 'X' is the id of the new
|
|
company. Alternatively you can click on the 'Projects' link in the top
|
|
navigation then the 'new project' button in the upper right. Create a
|
|
new project, selecting the newly created company, which will appear as a
|
|
blank choice in the company drop down list. Save the project and then
|
|
in the project list click on the company name.
|
|
|
|
Impact
|
|
Any user with the permissions to create new companies can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Project ===
|
|
The project creation screen fails to filter form details before creating
|
|
a new project.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new project
|
|
2. Click the 'Projects' link in the top navigation bar
|
|
3. Click the 'new project' button in the upper right
|
|
4. Fill in "<script>alert('xss');</script>" for the 'Project Name',
|
|
'URL', 'Starting URL', and 'Description' fields
|
|
5. Click the 'submit' button in the lower right hand corner
|
|
6. On the resulting screen the project name XSS will appear.
|
|
7. To view the other project XSS attacks browse to
|
|
index.php?m=projects&a=view&project_id=X where 'X' is the id of the new
|
|
project.
|
|
|
|
Impact
|
|
Any user with the permissions to create new projects can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Task ===
|
|
The task creation screen fails to filter form details before creating a
|
|
new task.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a task
|
|
2. Click the 'Projects' link in the top navigation bar
|
|
3. Click on a project name to which the user account has permissions
|
|
4. Click the 'new task' button in the upper right
|
|
5. Fill in "<script>alert('xss');</script>" for the 'Task Name', 'Web
|
|
Address', 'Description', and 'Description' fields
|
|
6. Click on the 'Dates' tab and select an appropriate date
|
|
7. Click the 'save' button in the lower right hand corner
|
|
8. On the resulting screen the task name XSS will appear.
|
|
9. To view the other task summary XSS attacks browse to
|
|
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task.
|
|
|
|
Impact
|
|
Any user with the permissions to create new tasks can expose other users
|
|
of dotProject to XSS attacks.
|
|
|
|
== Task Log ===
|
|
The task log creation screen fails to filter form details before
|
|
creating a new task log.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a task
|
|
2. Click the 'Tasks' link in the top navigation bar
|
|
3. Click on a task name to which the user account has permissions
|
|
4. Click the 'New Log' tab
|
|
5. Fill in "<script>alert('xss');</script>" for the 'Summary', and
|
|
'Description' fields, enter ""><script>alert('log url');</script>" for
|
|
the 'URL' field
|
|
6. Click the 'update task' button in the lower right hand corner
|
|
7. On the resulting screen the task name XSS will appear.
|
|
8. To view the other task log XSS attacks browse to
|
|
index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task.
|
|
|
|
Impact
|
|
Any user with the permissions to create new task logs (virtually all
|
|
dotProject users) can expose other users of dotProject to XSS attacks.
|
|
|
|
== Files ===
|
|
The file attachment screen fails to filter form details before creating
|
|
a new file attachment.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a file
|
|
2. Click the 'Files' link in the top navigation bar
|
|
3. Click on a 'new folder' button in the upper right
|
|
4. Fill in "<script>alert('xss');</script>" for the 'Folder Name', and
|
|
'Description' fields
|
|
5. Click on the 'new file' button in the upper right
|
|
6. Observer the 'Folder name' XSS
|
|
7. Fill in "<script>alert('xss');</script>" for the 'Description' field
|
|
and choose a file to upload
|
|
8. Click the 'submit' button in the lower right hand corner
|
|
9. On the resulting screen the file description XSS will appear.
|
|
|
|
Impact
|
|
Any user with the permissions to create new files can expose other users
|
|
of dotProject to XSS attacks.
|
|
|
|
== Events ===
|
|
The events screen fails to filter form details before creating a new events.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create an event
|
|
2. Select 'Event' from the '-New Item-' drop down in the upper right or
|
|
navigate to index.php?m=calendar&a=addedit
|
|
3. Fill in "<script>alert('xss');</script>" for the 'Event Title', and
|
|
'Description' fields
|
|
4. Click on the 'submit' button in the lower right
|
|
5. Observe the XSS at the View Event screen
|
|
index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event.
|
|
|
|
Impact
|
|
Any user with the permissions to create new events can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Contacts ===
|
|
The contacts screen fails to filter form details before creating a new
|
|
events.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new contact
|
|
2. Select 'Contact' from the '-New Item-' drop down in the upper right
|
|
or navigate to index.php?m=contacts&a=addedit
|
|
3. Fill in "<script>alert('xss');</script>" for every field
|
|
4. Click on the 'submit' button in the lower right
|
|
5. Observe the XSS at the View Contact screen
|
|
index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new
|
|
contact.
|
|
|
|
Impact
|
|
Any user with the permissions to create new contacts can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Tickets ===
|
|
The Submit Trouble Ticket screen fails to filter form details before
|
|
creating a new ticket.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new ticket
|
|
2. Click the 'Tickets' link in the top navigation bar or navigate to
|
|
index.php?m=ticketsmith&a=post_ticket
|
|
3. Fill in "<script>alert(\'xss\');</script>" for the 'E-mail' field
|
|
4. Click on the 'submit' button in the lower right
|
|
5. Observe the XSS at the View Contact screen
|
|
index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new
|
|
contact.
|
|
|
|
Impact
|
|
Any user with the permissions to create new tickets can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Forums ===
|
|
The Add Forum screen fails to filter form details before creating a new
|
|
forum.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new forum
|
|
2. Click the 'Forums' link in the top navigation bar or navigate to
|
|
index.php?m=forums&a=post_ticket
|
|
3. Fill in "<script>alert(\'xss\');</script>" for the 'Forum Name' and
|
|
'Description' fields
|
|
4. Click on the 'submit' button in the lower right
|
|
5. Observe the XSS at the Forums screen index.php?m=forums
|
|
|
|
Impact
|
|
Any user with the permissions to create new tickets can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
== Forum Topics ===
|
|
The Forum Add Message screen fails to filter form details before
|
|
creating a new topic.
|
|
|
|
Proof of Concept
|
|
1. Log into dotProject as a user with privileges to create a new forum
|
|
topic
|
|
2. Click the 'Forums' link in the top navigation bar or navigate to
|
|
index.php?m=forums
|
|
3. Click on the name of a forum
|
|
4. Click on the 'start a new topic' button in the upper right
|
|
5. Fill in "<script>alert(\'xss\');</script>" for the 'Subject' and
|
|
'Message' fields
|
|
4. Click on the 'submit' button in the lower right
|
|
5. Observe the XSS at the Forums topics screen or
|
|
index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id
|
|
of the topic
|
|
|
|
Impact
|
|
Any user with the permissions to create new tickets can expose other
|
|
users of dotProject to XSS attacks.
|
|
|
|
|
|
|
|
SQL Injection Vulnerabilities
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
|
|
|
|
SQL injection vulnerabilities could allow an attacker to expose
|
|
sensitive data, such as password hashes, alter the database contents to
|
|
introduce stored XSS vulnerabilities, reset administrative user
|
|
passwords to allow escalation of privilege and other attacks that could
|
|
lead to the compromise of data, user account credentials, or even the
|
|
web server.
|
|
|
|
The following URL's expose PHP functions that are vulnerable to SQL
|
|
injection:
|
|
|
|
|
|
index.php?m=departments&a=addedit&company_id=1'
|
|
index.php?m=ticketsmith&a=view&ticket=1'
|
|
index.php?m=files&a=index&tab=4&folder=1'
|
|
|
|
Additionally some forms allow for SQL injection:
|
|
|
|
* The ticket creation form index.php?m=ticketsmith&a=post_ticket does
|
|
not properly sanitize single quotes in the Name or Email fields |