bugSavane - Bugs: bug #13660, Cross Site Scripting

 
 
Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #13660: Cross Site Scripting

Submitted by:  Fernando Muñoz <munozferna>
Submitted on:  Tue 09 Jun 2009 09:33:23 PM UTC  
 
Category: Web FrontendStatus: None
Severity: 6 - SecurityPriority: E - Immediate
Assigned to: Security Team <savane-security>Open/Closed: Open
Release: SVNPlanned Release: 
Reproducibility: NonePrivacy: Public

Tue 09 Jun 2009 09:33:23 PM UTC, original submission:

I've noticed that a lot forms use $PHP_SELF in the action field. This lead to XSS problems.

https://gna.org/index.php/%22%3E%3Cscript%3Ealert(1)%3C/script%3E
https://gna.org/my/items.php/%27%22%3E%3Cscript%3Ealert(1)%3C/script%3E

Fernando Muñoz <munozferna>

 

No files currently attached

 

Depends on the following items: None found

Items that depend on this one: None found

 

Carbon-Copy List
  • -unavailable- added by munozferna (Submitted the item)

    •  

    Do you think this task is very important?
    If so, you can click here to add your encouragement to it.
    This task has 0 encouragements so far.

    Only logged-in users can vote.

     

    Please enter the title of George Orwell's famous dystopian book (it's a date):

     

     

    Follow 2 latest changes.

    Date Changed By Updated Field Previous Value => Replaced By
    Tue 09 Jun 2009 09:33:23 PM UTCmunozfernaPriority-Automatic update due to transitions settings-=>E - Immediate
      Assigned to-Automatic update due to transitions settings-=>savane-security
    Show feedback again

    Back to the top


    Copyright (C) 2004-2006, the Gna! people. Posted items are owned by whoever posted them.
    Verbatim copying and distribution of this entire article is permitted in any medium, provided this notice is preserved.

    Powered by Savane 3.1-cleanup