#6469 Insecurity in Admin Overview Form [ss4721]

asf_release_1.0.0
closed
General
nobody
2015-01-03
2013-07-16
Chris Tsai
No

Hi All,

We have discovered a potential vulnerability in the project admin overview form at /admin/overview that could enable an attacker to inject custom html (including script tags) to anyone who visited that form page. The problem appears to be not limited to this form, but in every non-markdown textarea element on the site. Another example is in the milestone descriptions in the Ticket Admin Fields form at /admin//fields.

You can see an example at my project here: https://sourceforge.net/p/will/admin/overview, in which I have injected a simple js alert. However, prudence should preclude you from visiting that page, so I shall describe the exploit:

Within the Full Description textarea element, simply close the textarea tag, inject your own html, then open another textarea tag to round it out. This is what I put in:

</textarea><script>alert("DOOM")</script><textarea>

Once you put it in, make sure to reload the page, otherwise the browser will probably prevent the script from running after the post (at least chrome does).

In this case this attack is limited to those with admin rights to a project, but it nonetheless seems at least somewhat serious.

Discussion

    • status: open --> in-progress
    • assigned_to: Tim Van Steenburgh
     
  • Dave Brondsema
    Dave Brondsema
    2013-07-16

    • status: in-progress --> closed
    • QA: Dave Brondsema
     
    • QA: Dave Brondsema --> nobody
    • Size: --> 1
     
    • private: Yes --> No