View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004061 | mantisbt | security | public | 2004-07-10 11:32 | 2006-10-09 11:55 |
Reporter | joxeanpiti | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | duplicate | ||
Product Version | 0.19.0a1 | ||||
Summary | 0004061: Multiple Cross Site Scripting Vulnerabilities | ||||
Description | I found multiple XSS vulnerabilities. The problems are always the same, incorrectly sanitization of the passed parameters. In the "Additional Information" field I put 3 proof of concept to test this possible attacks. | ||||
Additional Information | Multiple Cross Site Scripting Vulnerabilities1.- (RE-)LOGIN XSS VULNERABILITY-The first vulnerability that I found is this : You can login in anonymously and, when you want to perform a privileged 2.- REGISTER NEW USER XSS VULNERABILITY-The second XSS problem is in the script signup.php (for example, http://bugs.mantisbt.org/signup.php). This scripts registers
3.- SELECT PROJECT XSS VULNERABILITY-I will no explicate the problem because is the same all times. Try the following URL please : | ||||
Tags | No tags attached. | ||||
1.- Register New User XSS Vulnerability is not corrected. Try it :
<script>document.write('Cookie is : ' + document.cookie)</script> 2.- Select Project XSS Vulnerability is not fixed. Try the following URL : http://bugs.mantisbt.org/login_select_proj_page.php?ref=%22><script>alert(document.cookie)</script> edited on: 07-18-04 13:51 edited on: 07-18-04 13:52 |
|