View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000065 | Main CAcert Website | website content | public | 2005-09-21 04:25 | 2013-11-20 22:23 |
| Reporter | Sourcerer | Assigned To | duane | ||
| Priority | urgent | Severity | major | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 2006 | ||||
| Summary | 0000065: Security Hole: CrossSiteScripting | ||||
| Description | From: Jens Weibler Email: cacert@jensthebrain.de Subject: Security Hole - XSS Message: Hi, check the following URL: http://www.cacert.org/index.php?id=18&message=<script>javascript:alert(document.lastModified);</script> Please make XSS impossible on the cacert-page! | ||||
| Tags | No tags attached. | ||||
| Reviewed by | |||||
| Test Instructions | |||||
| has duplicate | 0000158 | closed | Inserting text into the CAcert website |
|
|
This page only exists to report MS JS errors, the MS JS needs to be fixed instead... |
|
|
Code should not allow XSS at all, regardless of who's fault the creation of this page is! |
|
|
It should NEVER be allowed to inject html into some other website! If an attacker sets up a website including an image like <img src="http://www.cacert.org/index.php?id=18&message=<script>EVIL</script>"> and EVIL is a little JavaScript that sends the SessionID to the attackers server, it's very easy to take over other peoples CAcert accounts. Please filter all html Tags or at least use htmlentities()! |
|
|
Bug 0000158 fixes this. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2005-09-21 04:25 | Sourcerer | New Issue | |
| 2006-02-12 01:26 | evaldo | Assigned To | => duane |
| 2006-02-12 01:26 | evaldo | Status | new => needs work |
| 2006-04-21 07:29 | duane | Status | needs work => closed |
| 2006-04-21 07:29 | duane | Note Added: 0000175 | |
| 2006-04-21 07:29 | duane | Resolution | open => won't fix |
| 2006-04-21 07:29 | duane | Fixed in Version | => production |
| 2006-04-21 08:34 | snewpy | Status | closed => needs feedback |
| 2006-04-21 08:34 | snewpy | Resolution | won't fix => reopened |
| 2006-04-21 08:34 | snewpy | Note Added: 0000176 | |
| 2006-04-21 17:26 |
|
Note Added: 0000177 | |
| 2006-04-21 19:23 |
|
Relationship added | has duplicate 0000158 |
| 2006-08-14 03:46 | duane | Status | needs feedback => closed |
| 2006-08-14 03:46 | duane | Note Added: 0000414 | |
| 2006-08-14 03:46 | duane | Resolution | reopened => fixed |
| 2013-01-15 18:30 | Werner Dworak | Fixed in Version | => 2006 |
| 2013-11-20 22:23 | NEOatNHNG | View Status | private => public |
