Ticket search results

XSS on wiki page and preview

Chris Tsai — Thu, 20 Aug 2015 22:07:00 -0000

Confirmed and reproduced here: https://sourceforge.net/p/strawhat/private-wiki/Swapnil_XSS/ ***This also affects live wiki pages, not just the previews*** Original message from user, Swapnil Thaware: >Respected Authorities, >My name is Swapnil A. Thaware and I am a Security Researcher from India. I have found security vulnerability in sourceforge.net. Here I am giving the details of the vulnerability found in sourceforge.net. >Vulnerability : Stored XSS >Vulnerability Description : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it. >An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. >Step to Reproduce : 1) Login to Account 2) Goto wiki Section then Click on Create Page 3) Write a name 4) and then put XSS Payload in Content box then click on Preview button. 5) Boooommmm !! we get the popup >XSS Payload : ~~~~ ">

XSS on /p/add_project/

Chris Tsai — Thu, 20 Aug 2015 22:07:10 -0000

[forge:site-support:#5930] >If yuo copy and past this payload: `">` at the page of soruceforge/p/add_Project in the two forms, you got a XSS Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that.

Insecurity in Admin Overview Form [ss4721]

Chris Tsai — Thu, 20 Aug 2015 22:07:55 -0000

Hi All, We have discovered a potential vulnerability in the project admin overview form at /admin/overview that could enable an attacker to inject custom html (including script tags) to anyone who visited that form page. The problem appears to be not limited to this form, but in every non-markdown textarea element on the site. Another example is in the milestone descriptions in the Ticket Admin Fields form at /admin//fields. You can see an example at my project here: https://sourceforge.net/p/will/admin/overview, in which I have injected a simple js alert. However, prudence should preclude you from visiting that page, so I shall describe the exploit: Within the Full Description textarea element, simply close the textarea tag, inject your own html, then open another textarea tag to round it out. This is what I put in: ~~~~