[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Savannah-hackers] [gnu.org #216816] Cross-Site Scripting Vulnerabil
From: |
Sylvain Beucler |
Subject: |
Re: [Savannah-hackers] [gnu.org #216816] Cross-Site Scripting Vulnerability on savannah.gnu.org |
Date: |
Fri, 10 Dec 2004 20:48:17 +0100 |
User-agent: |
Mutt/1.4.2.1i |
Hi,
It's fixed, in both Savannah and Savane.
Thanks for the report :)
--
Sylvain
On Fri, Dec 10, 2004 at 08:46:38AM -0500, Justin Pence via RT wrote:
> Hey, guys. Got a security report that I think you should see. I
> already replied to him saying that I'm forwarding this to you guys,
> might be a good idea to give him a quick note saying that you've seen
> it.
>
> --
> Justin Pence
> GNU/FSF Webmaster
> -----------------------------------
>
> Subject: Cross-Site Scripting Vulnerability on savannah.gnu.org
> Date: Wed, 8 Dec 2004 18:30:22 +0100
> To: <address@hidden>, <address@hidden>
> From: "mikx" <address@hidden>
>
>
> Hello,
>
> this is a security vulnerability report. Please confirm receipt of
> this
> email.
>
> __Vulnerability Summary
>
> savannah.gnu.org suffers a Cross-Site Scripting (XSS) vulnerability:
>
>
> http://savannah.gnu.org/search/?words="><script>alert(document.cookie)</script><x%20y="&type_of_search=soft&exact=1
>
>
> and
>
>
> https://savannah.gnu.org//account/login.php?form_loginname=x"><script>alert(document.cookie)</script><x%20y="
>
>
> This can be used to obfuscate/fake the output and/or steal cookies by
> inserting arbitrary html/javascript code.
>
> __Contact Informations
>
> Please contact me by email or IM, both: address@hidden
>
> Kind regards,
> Michael Krax aka mikx