Issue 2550654
Created on 2010-06-30 14:37 by benjamin, last changed 2010-07-01 01:54 by richard.
|
| msg4079 |
Author: [hidden] (benjamin) |
Date: 2010-06-30 14:37 |
|
There's an XSS vulnerability in Roundup's handling of the template argument. An example URL
would be
http://issues.roundup-tracker.org/issue?
@template=%3C/strong%3E%3Chtml%3E%3Chead%3E%3Cscript%3Ealert(%22Escape%20your%20st
rings%22)%3C/script%3E%3C/head%3E%3C/html%3E%3Cstrong%3E&status=1
This would allow JavaScript to access all cookies, make random changes to Roundup, etc.
|
| msg4080 |
Author: [hidden] (benjamin) |
Date: 2010-06-30 14:39 |
|
...and the fact that Roundup is passing arbitrary HTML in the URL for this case being submitted
isn't great either, as it has the exact same problem. (Potentially worse, since this one allows
arbitrary injection on a normal, non-error page)
http://issues.roundup-tracker.org/issue2550654?
@ok_message=msg%204079%20created%3Cbr%3Eissue%202550654%20created&@template=ite
m
|
| msg4081 |
Author: [hidden] (richard) |
Date: 2010-07-01 01:44 |
|
Thanks, this is fixed in r4486 and will be released ASAP.
|
| msg4082 |
Author: [hidden] (richard) |
Date: 2010-07-01 01:54 |
|
BTW the ok and error message variables are specifically handled: they're allowed to have an
extremely limited set of HTML.
|
|
| Date |
User |
Action |
Args |
| 2010-07-01 01:54:31 | richard | set | messages:
+ msg4082 |
| 2010-07-01 01:44:53 | richard | set | status: new -> closed
nosy:
+ richard
messages:
+ msg4081
priority: immediate
assignee: richard
resolution: fixed |
| 2010-06-30 14:39:43 | benjamin | set | messages:
+ msg4080 |
| 2010-06-30 14:37:17 | benjamin | create | |
|