Roundup Tracker - Issues

Issue 2550654

XSS vulnerability
Type: security Severity: critical
Components: Web interface Versions: 1.4
Status: closed fixed
: richard : benjamin, richard
Priority: immediate :

Created on 2010-06-30 14:37 by benjamin, last changed 2010-07-01 01:54 by richard.

msg4079 Author: [hidden] (benjamin) Date: 2010-06-30 14:37
There's an XSS vulnerability in Roundup's handling of the template argument. An example URL 
would be

This would allow JavaScript to access all cookies, make random changes to Roundup, etc.
msg4080 Author: [hidden] (benjamin) Date: 2010-06-30 14:39
...and the fact that Roundup is passing arbitrary HTML in the URL for this case being submitted 
isn't great either, as it has the exact same problem. (Potentially worse, since this one allows 
arbitrary injection on a normal, non-error page)
msg4081 Author: [hidden] (richard) Date: 2010-07-01 01:44
Thanks, this is fixed in r4486 and will be released ASAP.
msg4082 Author: [hidden] (richard) Date: 2010-07-01 01:54
BTW the ok and error message variables are specifically handled: they're allowed to have an 
extremely limited set of HTML.
Date User Action Args
2010-07-01 01:54:31richardsetmessages: + msg4082
2010-07-01 01:44:53richardsetstatus: new -> closed
nosy: + richard
messages: + msg4081
priority: immediate
assignee: richard
resolution: fixed
2010-06-30 14:39:43benjaminsetmessages: + msg4080
2010-06-30 14:37:17benjamincreate