Apache Allura™ / Tickets / #6889 XSS on /p/add

#6889 XSS on /p/add_project/

Milestone: v1.1.0

Status: closed

Owner: Dave Brondsema

Labels: support (446) p1 (4) security (36) sf-1 (616)

Component: General

Reviewer: nobody

Updated: 2015-08-20

Created: 2013-11-16

Private: No

[forge:site-support:#5930]

If yuo copy and past this payload: "><img src=x onerror=prompt(1);> at the page of soruceforge/p/add_Project in the two forms, you got a XSS

Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that.

Discussion

Dave Brondsema - 2013-11-18

I don't see a way to exploit it either. Even sending a project_unixname URL parameter to pre-fill the value doesn't trigger it automatically for the visitor.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-11-18

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-11-18

Fix on db/6889

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2013-11-18

status: code-review --> validation
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-11-18

private: No --> Yes
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-11-18

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2013-12-02

Size: --> 1
If you would like to refer to this comment somewhere else in this project, copy and paste the following link: