dotProject Multiple Vulnerabilities

30 November -0001
Description of Vulnerability:

dotProject (http://www.dotproject.net/) is a robust open source project management tool written in PHP and MySQL. dotProject contains numerous serious cross site scripting (XSS) and SQL injection vulnerabilities.

Systems affected:

dotProject 2.1.3 was tested and shown to be vulnerable

Mitigating factors

None of the vulnerabilities described below can be exploited by unauthenticated users. An attacker must have credentials to access the site in order to perform the proof of concept attacks detailed below.

Cross Site Scripting Vulnerabilities

The persistent cross site scripting attacks described below could expose users to credential theft, browser based attacks (such as remote iframe), invisible redirects (phishing), or other client side vectors.

== Company ===

The company creation screen fails to filter form details before creating a new company.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new company
  2. Click the 'Companies' link in the top navigation bar
  3. Click the 'new company' button in the upper right
  4. Fill in "<script>alert('xss');</script>" for each field except for phone, phone2, and fax. These fields restrict the input size so simply put "<script>alert('1');</script>" in these fields.
  5. Click the 'submit' button in the lower right hand corner
  6. On the resulting screen the company name XSS will appear.
  7. To view the other company XSS attacks browse to index.php?m=companies&a=view&company_id=X where 'X' is the id of the new company. Alternatively you can click on the 'Projects' link in the top navigation then the 'new project' button in the upper right. Create a new project, selecting the newly created company, which will appear as a blank choice in the company drop down list. Save the project and then in the project list click on the company name.

Impact

Any user with the permissions to create new companies can expose other users of dotProject to XSS attacks.

== Project ===

The project creation screen fails to filter form details before creating a new project.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new project
  2. Click the 'Projects' link in the top navigation bar
  3. Click the 'new project' button in the upper right
  4. Fill in "<script>alert('xss');</script>" for the 'Project Name', 'URL', 'Starting URL', and 'Description' fields
  5. Click the 'submit' button in the lower right hand corner
  6. On the resulting screen the project name XSS will appear.
  7. To view the other project XSS attacks browse to index.php?m=projects&a=view&project_id=X where 'X' is the id of the new project.

Impact

Any user with the permissions to create new projects can expose other users of dotProject to XSS attacks.

== Task ===

The task creation screen fails to filter form details before creating a new task.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a task
  2. Click the 'Projects' link in the top navigation bar
  3. Click on a project name to which the user account has permissions
  4. Click the 'new task' button in the upper right
  5. Fill in "<script>alert('xss');</script>" for the 'Task Name', 'Web Address', 'Description', and 'Description' fields
  6. Click on the 'Dates' tab and select an appropriate date
  7. Click the 'save' button in the lower right hand corner
  8. On the resulting screen the task name XSS will appear.
  9. To view the other task summary XSS attacks browse to index.php?m=tasks&a=view&task_id=X where 'X' is the id of the new task.

Impact

Any user with the permissions to create new tasks can expose other users of dotProject to XSS attacks.

== Task Log ===

The task log creation screen fails to filter form details before creating a new task log.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a task
  2. Click the 'Tasks' link in the top navigation bar
  3. Click on a task name to which the user account has permissions
  4. Click the 'New Log' tab
  5. Fill in "<script>alert('xss');</script>" for the 'Summary', and 'Description' fields, enter ""><script>alert('log url');</script>" for the 'URL' field
  6. Click the 'update task' button in the lower right hand corner
  7. On the resulting screen the task name XSS will appear.
  8. To view the other task log XSS attacks browse to index.php?m=tasks&a=view&task_id=X where 'X' is the id of the task.

Impact

Any user with the permissions to create new task logs (virtually all dotProject users) can expose other users of dotProject to XSS attacks.

== Files ===

The file attachment screen fails to filter form details before creating a new file attachment.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a file
  2. Click the 'Files' link in the top navigation bar
  3. Click on a 'new folder' button in the upper right
  4. Fill in "<script>alert('xss');</script>" for the 'Folder Name', and 'Description' fields
  5. Click on the 'new file' button in the upper right
  6. Observer the 'Folder name' XSS
  7. Fill in "<script>alert('xss');</script>" for the 'Description' field and choose a file to upload
  8. Click the 'submit' button in the lower right hand corner
  9. On the resulting screen the file description XSS will appear.

Impact

Any user with the permissions to create new files can expose other users of dotProject to XSS attacks.

== Events ===

The events screen fails to filter form details before creating a new events.

Proof of Concept

  1. Log into dotProject as a user with privileges to create an event
  2. Select 'Event' from the '-New Item-' drop down in the upper right or navigate to index.php?m=calendar&a=addedit
  3. Fill in "<script>alert('xss');</script>" for the 'Event Title', and 'Description' fields
  4. Click on the 'submit' button in the lower right
  5. Observe the XSS at the View Event screen index.php?m=calendar&a=view&event_id=X where 'X' is the id of the new event.

Impact

Any user with the permissions to create new events can expose other users of dotProject to XSS attacks.

== Contacts ===

The contacts screen fails to filter form details before creating a new events.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new contact
  2. Select 'Contact' from the '-New Item-' drop down in the upper right or navigate to index.php?m=contacts&a=addedit
  3. Fill in "<script>alert('xss');</script>" for every field
  4. Click on the 'submit' button in the lower right
  5. Observe the XSS at the View Contact screen index.php?m=contacts&a=view&contact_id=X where 'X' is the id of the new contact.

Impact

Any user with the permissions to create new contacts can expose other users of dotProject to XSS attacks.

== Tickets ===

The Submit Trouble Ticket screen fails to filter form details before creating a new ticket.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new ticket
  2. Click the 'Tickets' link in the top navigation bar or navigate to index.php?m=ticketsmith&a=post_ticket
  3. Fill in "<script>alert(\'xss\');</script>" for the 'E-mail' field
  4. Click on the 'submit' button in the lower right
  5. Observe the XSS at the View Contact screen index.php?m=ticketsmith&a=view&ticket=X where 'X' is the id of the new contact.

Impact

Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks.

== Forums ===

The Add Forum screen fails to filter form details before creating a new forum.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new forum
  2. Click the 'Forums' link in the top navigation bar or navigate to index.php?m=forums&a=post_ticket
  3. Fill in "<script>alert(\'xss\');</script>" for the 'Forum Name' and 'Description' fields
  4. Click on the 'submit' button in the lower right
  5. Observe the XSS at the Forums screen index.php?m=forums

Impact

Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks.

== Forum Topics ===

The Forum Add Message screen fails to filter form details before creating a new topic.

Proof of Concept

  1. Log into dotProject as a user with privileges to create a new forum topic
  2. Click the 'Forums' link in the top navigation bar or navigate to index.php?m=forums
  3. Click on the name of a forum
  4. Click on the 'start a new topic' button in the upper right
  5. Fill in "<script>alert(\'xss\');</script>" for the 'Subject' and 'Message' fields
  6. Click on the 'submit' button in the lower right
  7. Observe the XSS at the Forums topics screen or index.php?m=forums&a=viewer&forum_id=2&message_id=X where 'X' is the id of the topic

Impact

Any user with the permissions to create new tickets can expose other users of dotProject to XSS attacks.

SQL Injection Vulnerabilities

SQL injection vulnerabilities could allow an attacker to expose sensitive data, such as password hashes, alter the database contents to introduce stored XSS vulnerabilities, reset administrative user passwords to allow escalation of privilege and other attacks that could lead to the compromise of data, user account credentials, or even the web server.

The following URL's expose PHP functions that are vulnerable to SQL injection:

  • index.php?m=departments&a=addedit&company_id=1'
  • index.php?m=ticketsmith&a=view&ticket=1'
  • index.php?m=files&a=index&tab=4&folder=1'

Additionally some forms allow for SQL injection:

* The ticket creation form index.php?m=ticketsmith&a=post_ticket does not properly sanitize single quotes in the Name or Email fields

Default Credentials

When dotProject is installed an administrative user named 'admin' is created with the default password of 'passwd'.

Impact

The default credentials are easily guessed and users are not forced to change them, leading to the potential for production sites to be deployed using these default credentials.

Vulnerabilities in Included Libraries

The TicketSmith module is generally full of holes, the version (0.6.3) included in dotProject being last updated in 200

  • Request variables are not sanitized in any of the pages and are used for display as well as being interpolated in SQL queries without any sanitization.

    Final Notes

    This report is by no means meant to be exhaustive. Other vulnerabilities may exist in the tested version of dotProject. Hopefully these vulnerabilities will illuminate areas of code which can be updated to fix multiple vulnerability vectors. dotProject already contains defensive measures (such as the dPgetCleanParam function in includes/main_functions.php) that could possibly be used to quickly develop a patch for many of the bespoke vulnerabilities.

    Vendor Response

    These issues have been fixed in the git repository and should be resolved in the next release of dotProject.