lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20070108215401.11848.qmail@securityfocus.com> Date: 8 Jan 2007 21:54:01 -0000 From: jose.palanco@...el.es To: bugtraq@...urityfocus.com Subject: GForge Cross Site Scripting vulnerability GForge Cross Site Scripting vulnerability Version: Tested on GForge 4.5.11 Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot)es http://www.eazel.es Description: GForge is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks. Due to improper filtering, a remote attacker can cause a cross site scripting. To exploit any attacker may send via GET method the "words" variable to: >"<script>alert('www.eazel.es')</script> to http://site/search/advanced_search.php?group_id=X&search=1 where X is any active project in the gforge installation. Timeline: discovered: 26/10/2006 published: 8/01/2007 Original advisory: http://www.eazel.es/advisory006-gforge-cross-site-scripting-vulnerability.html