<<< Date Index >>>     <<< Thread Index >>>

Multiple Vulnerabilities in phpScheduleIt


--------------------------------------------------------------------------- 
              Multiple Vulnerabilities in phpScheduleIt 
--------------------------------------------------------------------------- 
 
Author: Joxean Koret 
Date: 2004  
Location: Basque Country 
 
--------------------------------------------------------------------------- 
 
Affected software description: 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
 
phpScheduleIt 1.0.0 RC1 
 
phpScheduleIt is a web application that attempts 
to solve the problem of  
scheduling and managing resource utilization. It 
provides a permissions-based  
calendar that allows users to self-register and 
reserve resources and the  
tools to manage those reservations. 
 
Some typical applications are conference room, 
equipment, or work shift scheduling. 
 
Web : http://www.php.brickhost.com/ 
 
--------------------------------------------------------------------------- 
 
Vulnerabilities: 
~~~~~~~~~~~~~~~~ 
 
A. Multiple Cross Site Scripting Vulnerabilities 
 
A1. When you register a new user the fields 
"Name" and "Last Name" (at least) 
allows potentially dangerous HTML (and also 
any Client-side scripting language). 
 
If do you want to try it follow these steps : 
 
       1.- Go to http://<site-with-phpScheduleIt> 
       2.- Click on "Click Here to Register" 
       3.- Enter the required fields and in the name 
and/or last name insert the 
           following data : 
 
               a&lt;script&gt;alert(document.cookie)&lt;/script&gt; 
 
       4.- Click on register. The system doesn't 
check if the e-mail is valid and/or 
           if this is a robot! You are logged in!!! 
       5.- You will see your cookie in a box. 
 
Exploitation of this issue could allow for theft of 
cookie-based authentication  
credentials. Other attacks are also possible. 
 
A2. When you create a new Schedule you can 
insert potentially dangerous HTML or Client 
side script in the Schedule Name field. 
 
Exploitation of this issue could allow for theft of 
cookie-based authentication credentials. 
Other attacks are also possible. 
 
B. Privilege Excalation Vulnerabilities 
 
B1. Privilege excalation (Administrator 
privileges) of a normal user. 
 
The best way to test it is by follow these steps : 
 
       1.- Goto http://<site-with-phpScheduleIt> 
       2.- Logging as administrator. 
       3.- Now, insert in the browser the following 
location http://<site-with-phpScheduleIt> or 
           just click on the Back button in your 
browser. 
       4.- Logging as a normal user. 
       5.- The user is a normal user with the Admin 
user privileges. 
 
This doesn't work if the Administrator does click 
on "Logout". 
 
NOTE: This requires that the user be on the 
same machine and browser as the  
administrator and is really more of a physical 
security issue than a  
programatic risk. 
 
The fix: 
~~~~~~~~ 
 
The security issues have been fixed and will be 
included in the codebase  
starting with version 1.0.0.  
 
Disclaimer: 
~~~~~~~~~~~ 
 
The information in this advisory and any of its 
demonstrations is provided 
"as is" without any warranty of any kind. 
 
I am not liable for any direct or indirect damages 
caused as a result of 
using the information or demonstrations 
provided in any part of this 
advisory.  
 
--------------------------------------------------------------------------- 
 
Contact: 
~~~~~~~~ 
 
        Joxean Koret at 
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es