#6889 XSS on /p/add_project/

v1.1.0
closed
General
nobody
2015-08-20
2013-11-16
Chris Tsai
No

[forge:site-support:#5930]

If yuo copy and past this payload: "><img src=x onerror=prompt(1);> at the page of soruceforge/p/add_Project in the two forms, you got a XSS

Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2013-11-18
    • status: open --> in-progress
    • assigned_to: Dave Brondsema
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18

    I don't see a way to exploit it either. Even sending a project_unixname URL parameter to pre-fill the value doesn't trigger it automatically for the visitor.

     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18
    • status: in-progress --> code-review
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18

    Fix on db/6889

     
  • Cory Johns - 2013-11-18
    • status: code-review --> validation
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18
    • status: validation --> closed
    • private: Yes --> No
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18
    • private: No --> Yes
     
  • Dave Brondsema

    Dave Brondsema - 2013-11-18
    • private: Yes --> No
     
  • Dave Brondsema

    Dave Brondsema - 2013-12-02
    • Size: --> 1
     

Log in to post a comment.