Roundup Tracker - Issues

Issue 2550654

classification
Title: XSS vulnerability
Type: security Severity: critical
Components: Web interface Versions: 1.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: richard Nosy List: benjamin, richard
Priority: immediate Keywords:

Created on 2010-06-30 14:37 by benjamin, last changed 2010-07-01 01:54 by richard.

Messages
msg4079 Author: [hidden] (benjamin) Date: 2010-06-30 14:37
There's an XSS vulnerability in Roundup's handling of the template argument. An example URL 
would be

http://issues.roundup-tracker.org/issue?
@template=%3C/strong%3E%3Chtml%3E%3Chead%3E%3Cscript%3Ealert(%22Escape%20your%20st
rings%22)%3C/script%3E%3C/head%3E%3C/html%3E%3Cstrong%3E&status=1

This would allow JavaScript to access all cookies, make random changes to Roundup, etc.
msg4080 Author: [hidden] (benjamin) Date: 2010-06-30 14:39
...and the fact that Roundup is passing arbitrary HTML in the URL for this case being submitted 
isn't great either, as it has the exact same problem. (Potentially worse, since this one allows 
arbitrary injection on a normal, non-error page)

http://issues.roundup-tracker.org/issue2550654?
@ok_message=msg%204079%20created%3Cbr%3Eissue%202550654%20created&@template=ite
m
msg4081 Author: [hidden] (richard) Date: 2010-07-01 01:44
Thanks, this is fixed in r4486 and will be released ASAP.
msg4082 Author: [hidden] (richard) Date: 2010-07-01 01:54
BTW the ok and error message variables are specifically handled: they're allowed to have an 
extremely limited set of HTML.
History
Date User Action Args
2010-07-01 01:54:31richardsetmessages: + msg4082
2010-07-01 01:44:53richardsetstatus: new -> closed
nosy: + richard
messages: + msg4081
priority: immediate
assignee: richard
resolution: fixed
2010-06-30 14:39:43benjaminsetmessages: + msg4080
2010-06-30 14:37:17benjamincreate