Description: Secure Science Corporation has reported a vulnerability in PHProjekt, which can be exploited by malicious users to conduct script insertion attacks. Input passed to the chat in a message is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed via the chat. The vulnerability has been reported in version 4.2 and prior. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly sanitised.
Not sure upstream is very alive...
I see there is a 4.2.3 released 20041227. I'm assuming it's vulnerable as well looking at the release date.
Could someone make sure they know about this ? I tried their bugtracker but it's apparently buggy.
web-apps any news on this one?
sent an email upstream
Summary of the upstream reply: - basic patch for the chat: add this below line 39 in chat/chat.php: $content = htmlentities(strip_tags($content)); - PHProjekt has not been particularly checked for XSS issues, since it's supposed to be an intranet system with only known users. - Version 5 (coming next month) closes all known XSS issues
web-apps: I would say patch the (known) vuln and bump... And be sure to migrate to v5 whenever it's available :)
web-apps, lease bump
I have this here ready to commit. Just have to wait 4-5hrs before the tarball shows up on the mirrors... I'll CC ppc once I've committed.
4.2.3 in cvs, x86 stable. ppc please stable.
Stable on ppc.
Ready for GLSA vote
I tend to vote YES on this one.
5.0 will not be ready for this month... According to the site: "Only 55 days until PHProjekt 5 is released. "
I think we should wait for phprojekt5 before releasing GLSA : no need to issue one for half-fixing the XSS issues... so I vote NO.
A little weird but now they talk about 23 days left :)
I agree with koon, there seem to be more issues. We should probably wait for the other fixes to do a GLSA.
Closing
