Menu

#537 Multiple XSS and CSRF vulnerabilities

closed
None
9
2008-01-27
2008-01-08
Anonymous
No

I think these vulnerabilities apply to other pages, but just as an example, if you add a new bug and type in <script language="javascript">alert('XSS')</script> for any of the text fields, click create. When you click on the details for that bug, the javascript will run.

Also, if someone embedded an img linked to something like delete_bug.aspx?confirm=y&id=10 and an admin views this page, the bug will be deleted automatically without confirmation.

siywong@mailworks.org

Discussion

  • Corey Trager

    Corey Trager - 2008-01-08

    screenshot showing that I do NOT have the problem reported here.

     
  • Corey Trager

    Corey Trager - 2008-01-08

    Logged In: YES
    user_id=645778
    Originator: NO

    I'm not seeing the same behavior that you are... Hmmm.
    File Added: xss.gif

     
  • Corey Trager

    Corey Trager - 2008-01-08
    • priority: 5 --> 7
    • assigned_to: nobody --> ctrager
    • summary: Multiple XSS and CSRF vulnerabilities --> cross scripting vulnerability in edit_bug.aspx
     
  • Corey Trager

    Corey Trager - 2008-01-08

    Logged In: YES
    user_id=645778
    Originator: NO

    More specifically, if you edit a bug entering text into a custom text field, then when a user with view-only permission on that bug views that bug using edit_bug.aspx, the script will be executed. The problem only occurs with custom text fields and only when the viewer is a view-only user. I was able to reproduce.

    Not sure yet whether the "Also, if someone embedded an img..." statement is real or hypothetical.

     
  • Corey Trager

    Corey Trager - 2008-01-08
    • priority: 7 --> 9
    • summary: cross scripting vulnerability in edit_bug.aspx --> Multiple XSS and CSRF vulnerabilities
     
  • Corey Trager

    Corey Trager - 2008-01-08

    Logged In: YES
    user_id=645778
    Originator: NO

    From Si Wong:

    Suppose you are logged into the bug tracker as an admin, and I set up a web page with an image with src="http://yourdomain.com/bugtracker/delete_bug.aspx?confirm=y&id=10"

     
  • Corey Trager

    Corey Trager - 2008-01-09

    Logged In: YES
    user_id=645778
    Originator: NO

    The one identified XSS vulnerability will be fixed soon, but the many CSRF vulnerabilities will probably take a way. I'll work first on the page that allows somebody to delete a bug, since that's the worst. Here's more info about CSRF:

    http://www.cgisecurity.com/articles/csrf-faq.shtml

    The only way to protect yourself is to logoff when you are done using BugTracker.NET, before you go visiting websites you don't trust.

     
  • Corey Trager

    Corey Trager - 2008-01-13

    Logged In: YES
    user_id=645778
    Originator: NO

    As far as I know, all the issues reported here are fixed by version 2.7.2. Contact me at ctrager@yahoo.com to report/discuss security concerns.

    Many Thanks to Si Wong for discovering and reporting these vulnerabilities.

     
  • Corey Trager

    Corey Trager - 2008-01-27
    • status: open --> closed
     
  • Nobody/Anonymous

    Ae0xV0 <a href="http://grnkkgqucbou.com/">grnkkgqucbou</a>, [url=http://xxxvasifszxp.com/]xxxvasifszxp[/url], [link=http://nephjfiarxac.com/]nephjfiarxac[/link], http://hymfldqxowxs.com/

     

Log in to post a comment.