[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SASHA v0.2.0 Mutiple XSS
- To: tom <tom@xxxxxxxxxx>
- Subject: Re: SASHA v0.2.0 Mutiple XSS
- From: Henri Salo <henri@xxxxxxx>
- Date: Tue, 20 Dec 2011 00:51:04 +0200
On Sun, Dec 18, 2011 at 02:08:19PM -0500, tom wrote:
> # Exploit Title: SASHA v0.2.0 Mutiple XSS
> # Date: 12/16/11
> # Author: G13
> # Software Link: http://sourceforge.net/projects/sasha/files/
> # Version: 0.2.0
> # Category: webapps (php)
> #
>
>
> ##### Vulnerability #####
>
> When adding a new course to the schedule, the application relies on
> Client Side controls for input. This can easily be bypassed by
> using an intercepting proxy or CSRF attack.
>
>
> ##### Affected Variables #####
>
> section_title=[XSS]
> instructors=[XSS]
>
> ##### POST Data #####
>
> institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
> subject=math&course=0028§ion=test&start_time%5Bhour%5D=8&
> start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
> end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
> instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
> instructors%5B4%5D=&instructors%5B5%5D=§ion_title=&step=1&next=Next
This seems to be a false-positive in some sense. Variable instructors has
stored XSS vulnerability, but section_title doesn't. One can only use this
XSS-vulnerability against own account so not an issue. Author of the program
will still fix this issue. Tom in my opinion you are doing great work, but
please contact developers before announcements. I know this is sometimes waste
of time, but you should still do that. In my opinion this doesn't deserve CVE.
Please also note that this software is not heavily used as far as developer
knew so might be the best not to email bugtraq before fix/patch next time.
More information: https://sourceforge.net/apps/mantisbt/sasha/view.php?id=13
You can also reach them at #sasha-dev in Freenode IRC-network.
- Henri Salo