You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <br...@users.sf.net> on 2013/12/02 16:09:25 UTC

[allura:tickets] #6889 XSS on /p/add_project/

- **Size**:  --> 1



---

** [tickets:#6889] XSS on /p/add_project/**

**Status:** closed
**Labels:** support p1 security 
**Created:** Sat Nov 16, 2013 02:34 AM UTC by Chris Tsai
**Last Updated:** Mon Nov 18, 2013 04:24 PM UTC
**Owner:** Dave Brondsema

[forge:site-support:#5930]

>If yuo copy and past this payload: `"><img src=x onerror=prompt(1);>` at the page of soruceforge/p/add_Project in the two forms, you got a XSS

Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that.


---

Sent from sourceforge.net because allura-dev@incubator.apache.org is subscribed to https://sourceforge.net/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.