incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tim Van Steenburgh" <>
Subject [allura:tickets] #6469 Insecurity in Admin Overview Form [ss4721]
Date Wed, 17 Jul 2013 13:54:35 GMT
- **private**: Yes --> No


** [tickets:#6469] Insecurity in Admin Overview Form [ss4721]**

**Status:** closed
**Labels:** support p1 security 
**Created:** Tue Jul 16, 2013 06:26 PM UTC by Chris Tsai
**Last Updated:** Tue Jul 16, 2013 10:29 PM UTC
**Owner:** Tim Van Steenburgh

Hi All,

We have discovered a potential vulnerability in the project admin overview form at /admin/overview
that could enable an attacker to inject custom html (including script tags) to anyone who
visited that form page. The problem appears to be not limited to this form, but in every non-markdown
textarea element on the site. Another example is in the milestone descriptions in the Ticket
Admin Fields form at /admin//fields.

You can see an example at my project here:,
in which I have injected a simple js alert. However, prudence should preclude you from visiting
that page, so I shall describe the exploit:

Within the Full Description textarea element, simply close the textarea tag, inject your own
html, then open another textarea tag to round it out. This is what I put in:


Once you put it in, make sure to reload the page, otherwise the browser will probably prevent
the script from running after the post (at least chrome does).

In this case this attack is limited to those with admin rights to a project, but it nonetheless
seems at least somewhat serious.


Sent from because is subscribed to

To unsubscribe from further messages, a project admin can change settings at
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message