[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #106475] Cross-site scripting using feedback
From: |
Daniel Kahn Gillmor |
Subject: |
[Savannah-help-public] [sr #106475] Cross-site scripting using feedback variable |
Date: |
Fri, 22 Aug 2008 17:46:02 +0000 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071618 Iceweasel/3.0.1 (Debian-3.0.1-1) |
Follow-up Comment #2, sr #106475 (project administration):
OK, if you follow the link in comment # 1
<https://savannah.gnu.org/support/index.php?106475#comment1>, it should take
you to a page where mousing over the floating GNU in the green feedback box
will trigger a javascript alert that says "monkeys!".
It doesn't take much to go from there to javascript that does arbitrarily
complicated things as the logged-in user.
I consider this a fairly severe security concern.
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?106475>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/