[Savannah-help-public] [sr #106475] Cross-site scripting using feedback

savannah-hackers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-help-public] [sr #106475] Cross-site scripting using feedback

From:	Matt McCutchen
Subject:	[Savannah-help-public] [sr #106475] Cross-site scripting using feedback variable
Date:	Sat, 13 Feb 2010 22:53:35 +0000
User-agent:	Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6

Follow-up Comment #3, sr #106475 (project administration):

The XSS does not seem to work any more.  Still, it's not comforting that an
attacker can place arbitrary text in an apparently trusted part of the
Savannah UI.  Example.
<https://savannah.gnu.org/my/admin/?feedback=You%20have%20granted%20Matt%20McCutchen%20access%20to%20your%20Savannah%20account%2e>

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?106475>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Savannah-help-public] [sr #106475] Cross-site scripting using feedback variable, Matt McCutchen <=

Prev by Date: [Savannah-help-public] [sr #107055] XSRF
Next by Date: [Savannah-help-public] [sr #107269] gplv3-or-later not offered to new projects
Previous by thread: [Savannah-help-public] [sr #107055] XSRF
Next by thread: [Savannah-help-public] [sr #107269] gplv3-or-later not offered to new projects
Index(es):
- Date
- Thread