Bug #26085 XSS security hole on mysql.de
Submitted: 5 Feb 2007 15:05 Modified: 5 Feb 2007 21:16
Reporter: [ name withheld ] Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Websites: bugs.mysql.com Severity:S1 (Critical)
Version:1 OS:Windows (Windows XP)
Assigned to: Eric Braswell CPU Architecture:Any
Tags: Security, XSS

[5 Feb 2007 15:05] [ name withheld ] 
Description:
An xss error was found on the mysql.de website.

How to repeat:
Type in this link:

http://www.mysql.de/news-and-events/on-demand-webinars/security-20070130.php.de?in[firstna...

Suggested fix:
change double quotes for form input fields to
"
so the content of the form field stays within the formfield value context. Check also the other fields like Nachname, Position, ....
[5 Feb 2007 16:58] Sveta Smirnova 
Thank you for the report.

Verified as described.

But, please, for feature bug reports according to website send email directly to our web team using address <webmaster@mysql.com>
[5 Feb 2007 21:16] Jim Winstead 
The web team has fixed this problem.