---------------------------------------------------------------------------
Multiple Vulnerabilities in phpScheduleIt
---------------------------------------------------------------------------
Author: Joxean Koret
Date: 2004
Location: Basque Country
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
phpScheduleIt 1.0.0 RC1
phpScheduleIt is a web application that attempts
to solve the problem of
scheduling and managing resource utilization. It
provides a permissions-based
calendar that allows users to self-register and
reserve resources and the
tools to manage those reservations.
Some typical applications are conference room,
equipment, or work shift scheduling.
Web : http://www.php.brickhost.com/
---------------------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
A. Multiple Cross Site Scripting Vulnerabilities
A1. When you register a new user the fields
"Name" and "Last Name" (at least)
allows potentially dangerous HTML (and also
any Client-side scripting language).
If do you want to try it follow these steps :
1.- Go to http://<site-with-phpScheduleIt>
2.- Click on "Click Here to Register"
3.- Enter the required fields and in the name
and/or last name insert the
following data :
a<script>alert(document.cookie)</script>
4.- Click on register. The system doesn't
check if the e-mail is valid and/or
if this is a robot! You are logged in!!!
5.- You will see your cookie in a box.
Exploitation of this issue could allow for theft of
cookie-based authentication
credentials. Other attacks are also possible.
A2. When you create a new Schedule you can
insert potentially dangerous HTML or Client
side script in the Schedule Name field.
Exploitation of this issue could allow for theft of
cookie-based authentication credentials.
Other attacks are also possible.
B. Privilege Excalation Vulnerabilities
B1. Privilege excalation (Administrator
privileges) of a normal user.
The best way to test it is by follow these steps :
1.- Goto http://<site-with-phpScheduleIt>
2.- Logging as administrator.
3.- Now, insert in the browser the following
location http://<site-with-phpScheduleIt> or
just click on the Back button in your
browser.
4.- Logging as a normal user.
5.- The user is a normal user with the Admin
user privileges.
This doesn't work if the Administrator does click
on "Logout".
NOTE: This requires that the user be on the
same machine and browser as the
administrator and is really more of a physical
security issue than a
programatic risk.
The fix:
~~~~~~~~
The security issues have been fixed and will be
included in the codebase
starting with version 1.0.0.
Disclaimer:
~~~~~~~~~~~
The information in this advisory and any of its
demonstrations is provided
"as is" without any warranty of any kind.
I am not liable for any direct or indirect damages
caused as a result of
using the information or demonstrations
provided in any part of this
advisory.
---------------------------------------------------------------------------
Contact:
~~~~~~~~
Joxean Koret at
joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
