Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

#1 Insert JS into logs via username field

2.0
closed-fixed
Adam Franco
9
2008-08-06
2008-08-06
Adam Franco
No

To exploit persistent Cross Site Scripting, Rapid7 entered the following information within the login
page:

Username: <script>alert(‘xss’)</script>
Password: passwd

Next, we logged into Segue2 as an administrator and open the “Browse Logs” page for Harmoni. Below
is a screenshot of the page:

This attack can be used in gaining administrator privileges on the Segue2 system. An attacker only needs
to perform a GET request with the administrator’s session information with the request and then review
the web server logs to extract the information.

Found during Rapid7 security audit.

Discussion

  • Adam Franco
    Adam Franco
    2008-08-06

    Logged In: YES
    user_id=789554
    Originator: YES

    Fixed in Harmoni 1.4.7/Segue 2.0-Beta 30.

    Logs are no longer a vector for XSS injection/persistence.

     
  • Adam Franco
    Adam Franco
    2008-08-06

    • status: open --> closed-fixed