View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004062 | mantisbt | security | public | 2004-07-10 11:32 | 2006-10-09 11:55 |
Reporter | joxeanpiti | Assigned To | vboctor | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 0.19.0a1 | ||||
Fixed in Version | 0.19.0rc1 | ||||
Summary | 0004062: Multiple Cross Site Scripting Vulnerabilities | ||||
Description | I found multiple XSS vulnerabilities. The problems are always the same, incorrectly sanitization of the passed parameters. In the "Additional Information" field I put 3 proof of concept to test this possible attacks. | ||||
Additional Information | Multiple Cross Site Scripting Vulnerabilities1.- (RE-)LOGIN XSS VULNERABILITY-The first vulnerability that I found is this : You can login in anonymously and, when you want to perform a privileged 2.- REGISTER NEW USER XSS VULNERABILITY-The second XSS problem is in the script signup.php (for example, http://bugs.mantisbt.org/signup.php). This scripts registers
3.- SELECT PROJECT XSS VULNERABILITY-I will no explicate the problem because is the same all times. Try the following URL please : | ||||
Tags | No tags attached. | ||||
I found the 4st XSS vulnerability. Try the following URL : http://bugs.mantisbt.org/view_all_set.php?type=1&reporter_id=5031&hide_status=80<script>alert('hi')</script> edited on: 07-10-04 11:47 |
|
I just checked in some code to address the 4th issue, mentioned in the bugnotes. |
|
Thanks JoxeanKoret. The issues you reported are now fixed in the CVS version. Please let us know if you find further problems. |
|