by r0t,der4444,cembo,VietMafia

Wednesday, December 14, 2005

ProjectForum 4.7.0 vuln.

ProjectForum 4.7.0 vuln.

Vuln. dicovered by : r0t
Date: 14 dec. 2005
vendor:http://www.projectforum.com/pf/
affected version:4.7.0 and prior


Product Description:

ProjectForum provides a professional and easy-to-use web-based focus for your team's work and collaboration, helping to move documents and projects forward fast. Its flexible wiki-style forums fill the gap between the scattered flurry of email and the time and expense of meetings or teleconferences. Build a project site or intranet where everyone can actively and directly contribute. Downloadable and hosted versions available.


Vuln. Description:

1. Denial of Service attack
A boundary error in the input passed to "pageid" paremter can be exploited to crash the service by sending a POST request and it can be used for DOS attack.


2. XSS
Missing input validation in various pages and error messages can be exploited to conduct Cross-Site Scripting attacks by inserting arbitrary HTML or script code, which will be executed in a user's browser session when viewed.


examples:

/admin/versions.html?pageid=[CODE]

/admin/adminsignin.html?fwd=%22%3E%3Cscript
%3Ealert('r0t')%3C/script%3E

/support/admin/newpage.html?originalpageid=
%22%3E%3Cscript%3Ealert('r0t')%3C/script%3E



Solution:
1.
Restrict access to the service (default port 3455/tcp) to ensure that only trusted IP addresses can connect.

Filter malicious characters and character sequences in a HTTP proxy.

2.
Edit the source code to ensure that input is properly sanitised.

4 Comments:

Anonymous Anonymous told...

You say "boundary error" in a POST request. Do you mean buffer overflow with a large string? Or just a bigger number than expected?

7:37 PM

 
Anonymous Anonymous told...

i think ,probably, bigger than expected...
cembo

9:15 PM

 
Blogger r0t told...

i can have some problems with my terminlogy or some definitions, as english isnt my native language and im very bad in it.

And this was that case where was nt sure about right way, lets look what will say some other researchers.

10:28 PM

 
Anonymous Anonymous told...

my latvian sux :) so it's OK about your English.

do you mean:

pageid=123456789 (really big number)

or

pageid=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA (really long string)

8:38 AM

 

Post a Comment

<< Home

 
Copyright (c) 2006 Pridels Sec Crew