lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 12 Jan 2006 13:15:03 +0200
From: "M.Neset KABAKLI" <neset@...iza.com>
To: <bugtraq@...urityfocus.com>
Subject: FogBugz Cross Site Scripting Vulnerability


I.Vulnerability
FogBugz Cross Site Scripting Vulnerability


II.Vendor
Fog Creek Software (www.fogcreek.com)


III.Affected Systems
- FogBugz (<= 4.029)


IV.About
FogBugz is a complete web based project management system for software
teams. Designed by Joel Spolsky of Joel on Software fame (www.fogcreek.com).


V.Description
An attacker is able to inject HTML and client-side script codes to FogBugz
login page by modifying dest variabe. An example crafted link can be found
below.


VI.Exploit
http://[fogbugz.example.com]/default.asp?pg=pgLogon&dest=[XSS]


VII.Vulnerability Status
- Vulnerability discovered on 2005-12-11.
- Vendor notified on 2005-12-13.
- Patch released on 2005-12-13.


VIII.Credits
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).

Powered by blists - more mailing lists