Hello,

I was going through SourceForge for downloading PyDev Plugin and I encountered CrossSiteScripting vulnerability  in certain domains which is hosted by SourceForge. I am including the links which has the vulnerability,preventive measures  and also I am sending mails to the host.
I am reporting this issue as a matter of my personal interest and also for a better and safe Web.
Also I swear that I did not cause any havoc to the site and I am reporting this privately and have not disclosed it publicly.

Links :
====

[A]XSS Vulnerability:
------------------------------
Cross site scripting is a vulnerability in which malicious scripts are injected into the websites which can lead to a total breach of security when customer details are stolen or manipulated as mentioned by OWASP.

[*]LMMS.SOURCEFORGE

1.http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27Your%20Site%20has%20XSS%27%29%3C%2FScRiPt%3E&category=Presets
[ACTION= is the vulnerable parameter.Check for sanitizing of inputs before parsing them]

2.http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27You%20have%20XSS%20Vulneribility%27%29%3C%2FScRiPt%3E&file=3972
[ACTION= is vulnerable]

3.lmms.sourceforge.net/lsp/index.php?action="><SCrIpT>alert('You have an XSS')<%2FScRiPt>&amp;user=DerWeisbecker
[ACTION= is vuln.]

4.http://lmms.sourceforge.net/lsp/index.php?action=%22%3E%3CSCrIpT%3Ealert%28%27XSS%20FOUND%27%29%3C%2FScRiPt%3E&amp;category=Projects&amp;subcategory=Ambient
[ACTION=]

5.lmms.sourceforge.net/lsp/index.php?action="><SCrIpT>alert('XSS')<%2FScRiPt>

Mitigations:
---------------------
Please refer to,
[OWASP XSS CHEAT SHEET] https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
[XSS FILTER EVASION] https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

I hope that you read it and take preventive measures to avoid this attack.
I repeat these are not *potential* but proved attacks which has ability even in taking control of the server.

Do reply to this mail address.
Awaiting your response.

Cheers,
Nishaanth Guna aka gameFace22