[allura:tickets] #6469 Insecurity in Admin Overview Form [ss4721]

[Tim Van Steenburgh <va...@users.sf.net>]

- **private**: Yes --> No



---

** [tickets:#6469] Insecurity in Admin Overview Form [ss4721]**

**Status:** closed
**Labels:** support p1 security 
**Created:** Tue Jul 16, 2013 06:26 PM UTC by Chris Tsai
**Last Updated:** Tue Jul 16, 2013 10:29 PM UTC
**Owner:** Tim Van Steenburgh

Hi All,

We have discovered a potential vulnerability in the project admin overview form at /admin/overview that could enable an attacker to inject custom html (including script tags) to anyone who visited that form page. The problem appears to be not limited to this form, but in every non-markdown textarea element on the site. Another example is in the milestone descriptions in the Ticket Admin Fields form at /admin//fields.

You can see an example at my project here: https://sourceforge.net/p/will/admin/overview, in which I have injected a simple js alert. However, prudence should preclude you from visiting that page, so I shall describe the exploit:

Within the Full Description textarea element, simply close the textarea tag, inject your own html, then open another textarea tag to round it out. This is what I put in:

~~~~
</textarea><script>alert("DOOM")</script><textarea>
~~~~

Once you put it in, make sure to reload the page, otherwise the browser will probably prevent the script from running after the post (at least chrome does).

In this case this attack is limited to those with admin rights to a project, but it nonetheless seems at least somewhat serious.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.