#################################################### Flyspray "The bug killer" multiple variable Cross-Site Scripting vendor url:http://flyspray.rocks.cc/ Vendor specific bug report: http://flyspray.rocks.cc/bts/task/703 Advisore:http://lostmon.blogspot.com/2005/10/ flyspray-bug-killer-multiple-variable.html vendor notify:yes exploit available:yes ##################################################### Flyspray is an uncomplicated, web-based bug tracking system for assisting with software development. Flyspray "The bug killer" contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple variables upon submission to index.php script.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ################## versions ################## Flyspray 0.9.7 Flyspray 0.9.8 Flyspray 0.9.8 (devel) ################## solution ################## no solution was available at this time... ################### TimeLine ################### Discovered:20-10-2005 Vendor notify:24-10-2005 Vendor response:25-10-2005 Disclosure:26-10-2005 #################### Examples #################### http://[victim]/index.php?PHPSESSID=270ca5a0f7c1e5b2fd4c 52b34cdfe546&tasks=&project=1&string=lala&type=&sev=&due= &dev=&cat=&status=&perpage=20 variables PHPSESSID, task,string,type,serv,due,dev are afected by XSS flaws. http://[victim]/index.php?tasks=all%22%3E%3Cscript %3Ealert%28%29%3C%2Fscript%3E&project=0 variable task afected. http://[victim]/index.php?order=sev&project=1&tasks=&type= &sev=&dev=&cat=&status=&due=&string=&perpage=20&pagenum=0& sort=desc&order2=&sort2=desc task,type,due,string,sort2, these variables are afected by XSS flaws. ########################## €nd ############################# thnx to estrella to be my ligth -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....