incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Brondsema" <brond...@users.sf.net>
Subject [allura:tickets] #6889 XSS on /p/add_project/
Date Mon, 18 Nov 2013 16:22:17 GMT
- **status**: validation --> closed
- **private**: Yes --> No



---

** [tickets:#6889] XSS on /p/add_project/**

**Status:** closed
**Labels:** support p1 security 
**Created:** Sat Nov 16, 2013 02:34 AM UTC by Chris Tsai
**Last Updated:** Mon Nov 18, 2013 03:46 PM UTC
**Owner:** Dave Brondsema

[forge:site-support:#5930]

>If yuo copy and past this payload: `"><img src=x onerror=prompt(1);>` at the
page of soruceforge/p/add_Project in the two forms, you got a XSS!! (CROSS SITE SCRIPTING)!
 I HOPE THAT SOURCEFORGE ACKNOWLEDGE ME..

>-Simon90_Italy.
For more information:morrailgay2@gmail.com

Screenshot: https://sourceforge.net/p/forge/site-support/5930/attachment/03b0f-c0aebbf2-ce95-4017-a427-0b215d98bfc2.png

Not sure how exploitable that actually is, but following his instructions anyway I was able
to reproduce that.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.
 Or, if this is a mailing list, you can unsubscribe from the mailing list.
Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message