Trustwave SpiderLabs has published a new security advisory for multiple Cross-Site Scripting (XSS) vulnerabilities in The Bug Genie, an open source issue tracking and project management PHP application. The findings include both reflective and persistent XSS vulnerabilities in input parameters that can be exploited via authenticated POST requests. The Bug Genie team was contacted earlier this year regarding the security issues, and made an attempt to address them in their 3.2.5 release. Due to incomplete fixes in the 3.2.5 version, affected users are advised to upgrade to the latest stable 3.2.6 release.
Our initial security advisory was published for affected versions 3.2.4 and prior. However, a couple of weeks after the fixes were released in version 3.2.5, I revisited the application in order to confirm the fixes. I found that only two out of the five findings were correctly addressed. As a result, the remaining three findings in the 3.2.5 version were still vulnerable to XSS. Multiple attempts to contact The Bug Genie team regarding the following incomplete fixes were made:
- Persistent XSS via POST request on 'description' parameter in issue reporting
- Persistent XSS via POST request in file attachments
- Reflective XSS via POST request on 'openid_identifier' parameter in login during preauth
Both the ‘description’ and ‘openid_identifier’ parameters fail to sanitize user input properly. Although the 3.2.5 version of The Bug Genie applied a fix in different locations for both vulnerabilities, they failed to eliminate the issue entirely in other parts of the web application.
Therefore, I developed two patches that addressed both issues. As of this post, the supplied patches that I submitted to The Bug Genie team to help address the incomplete fixes for both vulnerabilities have been merged into their codebase. Affected users who previously upgraded to version 3.2.5 should now upgrade to the latest 3.2.6 release, which contains both of my fixes.
Here are the changes that I provided:
Download: Fix openid_identifier XSS Vulnerability
Download: Fix timeline Issues XSS Vulnerability
As a final note, the persistent XSS vulnerability that exists in the way that the application renders its content remains unfixed in the latest 3.2.6 version as well. However, the file uploading functionality in The Bug Genie is disabled by default.
For additional details regarding this security advisory, please visit: Security Advisory TWSL2013-002