Bug #7552 Eventum Cross Site Scripting (XSS)
Submitted: 28 Dec 2004 7:34 Modified: 30 Dec 2004 15:35
Reporter: sullo
Status: Closed
Category:Eventum Severity:S2 (Serious)
Version:1.3.1 OS:Any (All)
Assigned to: Bugs System Target Version:

[28 Dec 2004 7:34] sullo 
Description:
Multiple PHP scripts in Eventum do not filter user-supplied input before display in HTML
pages. This allows for possible cross site scripting (XSS) attacks against other users of
the web site or Eventum system.

Files/variables:
- index.php: email field
- forgot_password.php: email field 
- preferences.php: full_name, sms_email, list_refresh_rate, emails_refresh_rate fields
- projects.php: title, outgoing_sender_name fields

How to repeat:
Load the following URLs:
index.php: index.php?err=3&email=\"<script>alert(document.cookie)</script>
forgot_password.php: forgot_password.php?email="><script>alert(document.cookie)</script>

preferences.php, enter the value
   "><script>alert(document.cookie)</script>
in the following fields: full_name, sms_email, list_refresh_rate, emails_refresh_rate

in projects.php, enter the value
   "><script>alert(document.cookie)</script>
in the following fields: title, outgoing_sender_name

Suggested fix:
Filter all tainted user input before display.
[30 Dec 2004 15:33] Joao Prado Maia 
These problems were just fixed in the bitkeeper version of Eventum, and we will release a
new version soon which will contain these fixes.

Thanks for the report.