lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 20 Dec 2011 00:51:04 +0200
From: Henri Salo <henri@...v.fi>
To: tom <tom@...net.com>
Cc: submit@...sec.com, bugtraq@...urityfocus.com, me@...emsley.org
Subject: Re: SASHA v0.2.0 Mutiple XSS

On Sun, Dec 18, 2011 at 02:08:19PM -0500, tom wrote:
> # Exploit Title: SASHA v0.2.0 Mutiple XSS
> # Date: 12/16/11
> # Author: G13
> # Software Link: http://sourceforge.net/projects/sasha/files/
> # Version: 0.2.0
> # Category: webapps (php)
> #
> 
> 
> ##### Vulnerability #####
> 
> When adding a new course to the schedule, the application relies on
> Client Side controls for input.  This can easily be bypassed by
> using an intercepting proxy or CSRF attack.
> 
> 
> ##### Affected Variables #####
> 
> section_title=[XSS]
> instructors=[XSS]
> 
> ##### POST Data #####
> 
> institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
> subject=math&course=0028&section=test&start_time%5Bhour%5D=8&
> start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
> end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
> instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
> instructors%5B4%5D=&instructors%5B5%5D=&section_title=&step=1&next=Next

This seems to be a false-positive in some sense. Variable instructors has stored XSS vulnerability, but section_title doesn't. One can only use this XSS-vulnerability against own account so not an issue. Author of the program will still fix this issue. Tom in my opinion you are doing great work, but please contact developers before announcements. I know this is sometimes waste of time, but you should still do that. In my opinion this doesn't deserve CVE. Please also note that this software is not heavily used as far as developer knew so might be the best not to email bugtraq before fix/patch next time.

More information: https://sourceforge.net/apps/mantisbt/sasha/view.php?id=13

You can also reach them at #sasha-dev in Freenode IRC-network.

- Henri Salo

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ