PHProjekt 5.2.0 - XSS and Filter Evasion vulnerability

Tuesday, 27 March 2007

n.runs AG security at
n.runs-SA-2007.004 14-Mar-2007

Vendor: Mayflower GmbH,
Affected Products: PHProjekt 5.2.0
Vulnerability: Cross Site Scripting and Filter Evasion
Risk: HIGH


Vendor communication:

  2006/12/31 initial notification of Mayflower
  2007/01/02 Mayflower Response
  2007/01/02 PGP keys exchange
  2007/01/02 PoCs sent to Mayflower
  2007/01/11 Mayflower confirmed the bugs
  2007/01/30 Mayflower fixed the bugs and sends RC1
  2007/01/30 n.runs informs Mayflower about a persisting XSS vulnerability
  2007/02/02 Mayflower confirmed the bug
  2007/02/08 Mayflower fixed the bugs and sends RC2
  2007/02/12 n.runs informs Mayflower about a persisting XSS vulnerability
  2007/02/15 Mayflower confirmed the bug
  2007/02/20 Mayflower fixed the bug and sends RC3
  2007/02/21 n.runs verifies RC3 and reported a possible flaw within the new XSS protection library
  2007/03/14 PHProjekt 5.2.1 available
  2007/03/14 Coordinated disclosure



Quoting "PHProjekt is a modular application for the coordination of group activities and to share informations and document via the web. Components of PHProjekt: Group calendar, project management, time card system, file management, contact manager, mail client and many other modules. PHProjekt supports many protocols like ldap, xml/soap and webdav and is available for 38 languages and 9 databases."


In detail, the following flaws were determined during a quick source code review for the modules Projects, Contacts, Helpdesk, Notes, Search and Mail. During the validation the php.ini setting "magic_quotes_gpc" was deactivated.

Although PHProjekt is using a Cross Site Scripting Filter, it is possible to circumvent it.
Affected modules are
    - Projects
    - Contacts
    - Helpdesk
    - Notes
    - Search
    - Mail
The Search module affects only Gecko engine driven Browsers.
Finally, the Cross Site Scripting vulnerability also affects the summary page, which is PHProjekt's index page.

There may be other modules which are affected, but they have not been subject to review at this point.

The vulnerabilities were reported on Dec 31 2006 and an update has been released on Mar 14 2007.

Bugs found by Alexios Fakos of n.runs AG.


Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages.

Copyright 2007 n.runs AG. All rights reserved. Terms of apply.

Original Advisories: - Download the bugfix

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.