Hello,
I was going through SourceForge for downloading PyDev Plugin and I
encountered CrossSiteScripting vulnerability in certain domains which is
hosted by SourceForge. I am including the links which has the
vulnerability,preventive measures and also I am sending mails to the host.
I am reporting this issue as a matter of my personal interest and also for
a better and safe Web.
Also I swear that I did not cause any havoc to the site and I am reporting
this privately and have not disclosed it publicly.
Links :
====
[A]XSS Vulnerability:
------------------------------
Cross site scripting is a vulnerability in which malicious scripts are
injected into the websites which can lead to a total breach of security
when customer details are stolen or manipulated as mentioned by OWASP.
[*]LMMS.SOURCEFORGE
1.
http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27Your%20Site%20has%20XSS%27%29%3C%2FScRiPt%3E&category=Presets
[ACTION= is the vulnerable parameter.Check for sanitizing of inputs before
parsing them]
2.
http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27You%20have%20XSS%20Vulneribility%27%29%3C%2FScRiPt%3E&file=3972
[ACTION= is vulnerable]
3.lmms.sourceforge.net/lsp/index.php?action="><SCrIpT>alert('You have an
XSS')<%2FScRiPt>&user=DerWeisbecker
[ACTION= is vuln.]
4.
http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27XSS%20FOUND%27%29%3C%2FScRiPt%3E&category=Projects&subcategory=Ambient
[ACTION=]
5.lmms.sourceforge.net/lsp/index.php?action=
"><SCrIpT>alert('XSS')<%2FScRiPt>
Mitigations:
---------------------
Please refer to,
[OWASP XSS CHEAT SHEET]
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
[XSS FILTER EVASION]
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
I hope that you read it and take preventive measures to avoid this attack.
I repeat these are not *potential* but proved attacks which has ability
even in taking control of the server.
Do reply to this mail address.
Awaiting your response.
Cheers,
Nishaanth Guna aka gameFace22
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Lmms-users mailing list
Lmms-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lmms-users
