TaskFreak! v0.6.4 Multiple Cross-Site Scripting Vulnerabilities

Title: TaskFreak! v0.6.4 Multiple Cross-Site Scripting Vulnerabilities
Advisory ID: ZSL-2011-4990
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 11.02.2011
Summary
TaskFreak! Original is a simple but efficient web based task manager written in PHP.
Description
TaskFreak! suffers from multiple XSS vulnerabilities when parsing input to multiple parameters in different scripts. The vulnerable POST parameters are: 'sContext', 'sort', 'dir' and 'show' thru index.php. Also the GET parameters 'dir' and 'show' thru 'print_list.php' are vulnerable. Header variable 'referer' is vulnerable thru rss.php script. Attackers can exploit these weaknesses to execute arbitrary HTML and script code in a user's browser session.
Vendor
Stan Ozier - http://www.taskfreak.com
Affected Version
0.6.4 (multi-user)
Tested On
MS Windows XP Pro SP3-EN, XAMPP (latest)
Vendor Status
[27.01.2011] Vulnerability discovered.
[31.01.2011] Tried contacting vendor thru their forums.
[01.02.2011] 3rd party offered to review vuln details and offered patching.
[10.02.2011] No response from vendor.
[11.02.2011] Public advisory released.
PoC
taskfreak_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Borg
References
[1] git://borg.uu3.net/OEM/taskfreak.git
[2] http://packetstormsecurity.org/files/98426
[3] http://www.exploit-db.com/exploits/16158
[4] http://securityreason.com/wlb_show/WLB-2011020047
[5] http://www.securityfocus.com/bid/46350
[6] http://secunia.com/advisories/43318/
[7] http://www.securityhome.eu/exploits/exploit.php?eid=9581802394d561484427503.77666550
[8] http://xforce.iss.net/xforce/xfdb/65359
[9] http://osvdb.org/show/osvdb/70877
[10] http://osvdb.org/show/osvdb/70878
[11] http://osvdb.org/show/osvdb/70932
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1062
Changelog
[11.02.2011] - Initial release
[12.02.2011] - Added reference [2], [3] and [4]
[14.02.2011] - Added reference [5], [6] and [7]
[15.02.2011] - Added reference [8]
[17.02.2011] - Added reference [9] and [10]
[25.02.2011] - Added reference [11] and [12]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk