From: security curmudgeon <jericho@attrition.org>
To: sjrey@users.sourceforge.net
Date: Sun, 19 Mar 2006 22:42:24 -0500 (EST)
Subject: gtd input sanitization (XSS) vulnerabilities


Hey Serge,

While playing with the version 0.5 demo of gtd, I noticed that the program doesn't sanitize user input in several places. This
can allow for various forms of Cross-Site Scripting (XSS) attacks. Here are the places I noticed:

http://gtd-php.sourceforge.net/gtd/newProject.php
Description and Title Field
Script renders when listProjects.php is called, or any page that gives the Project drop down selection.

http://gtd-php.sourceforge.net/gtd/newList.php
Description and Title Field
Script renders when listList.php is called.

http://gtd-php.sourceforge.net/gtd/newWaitingOn.php
Description and Title Field
Script renders when listWaitingOn.php is called.

http://gtd-php.sourceforge.net/gtd/newChecklist.php
Title Field
Script renders when listChecklist.php is called.

http://gtd-php.sourceforge.net/gtd/newContext.php
Title Field
Script renders when reportContext.php is called.

http://gtd-php.sourceforge.net/gtd/newCategory.php
Category Name
Script renders when creating new items (any that list a category to select).

http://gtd-php.sourceforge.net/gtd/newGoal.php
Title Field
Script renders when listGoals.php is called.

Additionally, when playing around, some of the scripts would temporarily show output before redirecting to another page. These
also render the script code, and can be called directly:

http://gtd-php.sourceforge.net/gtd/listReport.php?listID=3&listTitle=%3Cscript%3Ealert(document.cookie)%3C/script%3E%20347
http://gtd-php.sourceforge.net/gtd/projectReport.php?projectId=7&projectName=%3Cscript%3Ealert(document.cookie)%3C/script%3E%203
47
http://gtd-php.sourceforge.net/gtd/checklistReport.php?checklistId=&checklistTitle=%3Cscript%3Ealert(document.cookie)%3C/script%
3E%20347


Jericho



--


From: Serge Rey 
To: security curmudgeon <jericho@attrition.org>
Date: Sun, 19 Mar 2006 20:29:31 -0800
Subject: Re: gtd input sanitization (XSS) vulnerabilities

On 3/19/06, security curmudgeon <jericho@attrition.org> wrote:
>
> Hey Serge,
>
> While playing with the version 0.5 demo of gtd, I noticed that the program
> doesn't sanitize user input in several places. This can allow for various
> forms of Cross-Site Scripting (XSS) attacks. Here are the places I
> noticed:

jericho,

thanks for taking the time to let me know about this.

i took the demo off-line for now.

we will add the filtering soon.

serge