Disclosure: gtd-php Multiple Vulnerabilities

[This was originally published on OSVDB, now gone. VulnDB IDs 24149, 24150, 24151, 24152, 24153, 24154, 24155, 24156, 24157, 24158]

From: security curmudgeon
To: sjrey[at]users.sourceforge.net
Date: Sun, 19 Mar 2006 22:42:24 -0500 (EST)
Subject: gtd input sanitization (XSS) vulnerabilities

Hey Serge,

While playing with the version 0.5 demo of gtd, I noticed that the program doesn’t sanitize user input in several places. This can allow for various forms of Cross-Site Scripting (XSS) attacks. Here are the places I noticed:

http://gtd-php.sourceforge.net/gtd/newProject.php
Description and Title Field
Script renders when listProjects.php is called, or any page that gives the Project drop down selection.

http://gtd-php.sourceforge.net/gtd/newList.php
Description and Title Field
Script renders when listList.php is called.

http://gtd-php.sourceforge.net/gtd/newWaitingOn.php
Description and Title Field
Script renders when listWaitingOn.php is called.

http://gtd-php.sourceforge.net/gtd/newChecklist.php
Title Field
Script renders when listChecklist.php is called.

http://gtd-php.sourceforge.net/gtd/newContext.php
Title Field
Script renders when reportContext.php is called.

http://gtd-php.sourceforge.net/gtd/newCategory.php
Category Name
Script renders when creating new items (any that list a category to select).

http://gtd-php.sourceforge.net/gtd/newGoal.php
Title Field
Script renders when listGoals.php is called.

Additionally, when playing around, some of the scripts would temporarily show output before redirecting to another page. These also render the script code, and can be called directly:

http://gtd-php.sourceforge.net/gtd/listReport.php?listID=3&listTitle=%3Cscript%3Ealert(document.cookie)%3C/script%3E%20347http://gtd-php.sourceforge.net/gtd/projectReport.php?projectId=7&projectName=%3Cscript%3Ealert(document.cookie)%3C/script%3E%20347http://gtd-php.sourceforge.net/gtd/checklistReport.php?checklistId=&checklistTitle=%3Cscript%3Ealert(document.cookie)%3C/script%3E%20347

Jericho

From: Serge Rey
To: security curmudgeon
Date: Sun, 19 Mar 2006 20:29:31 -0800
Subject: Re: gtd input sanitization (XSS) vulnerabilities

jericho,

thanks for taking the time to let me know about this.

i took the demo off-line for now.

we will add the filtering soon.

serge

Leave a Reply

%d