Bug #34950 XSS vulnerability on "display name" field
Submitted: 29 Feb 2008 3:28 Modified: 3 Mar 2008 20:13
Reporter: Diego Medina Email Updates:
Status: Closed Impact on me:
Category:MySQL Websites: MySQLForge Severity:S1 (Critical)
Version:forge1.mysql.com OS:Any
Assigned to: Valeriy Kravchuk CPU Architecture:Any
Tags: forge, XSS

[29 Feb 2008 3:28] Diego Medina
go here
and you will see a javascript popup saying "/my profile/"

This is of course not dangerous but shows a cross site vulnerability.

How to repeat:
I'll include the instructions on the private section to avoid other people from learning this. 

Suggested fix:
use the htmlentities function on php an all user input fields
[29 Feb 2008 3:56] Diego Medina
the "website" field is also vulnerable (I updated the same page so that you can see)
[29 Feb 2008 4:31] Valeriy Kravchuk
Thank you for a bug report. Verified just as described.
[3 Mar 2008 15:18] Jay Pipes
Checked and escaped missing outputs in templates/nav.tpl and templates/people/person.tpl

Revisions r364-5 have fixes.
[3 Mar 2008 20:01] Diego Medina
the Project title has the same issue, check http://forge1.mysql.com/projects/project.php?id=260
[3 Mar 2008 20:13] Jay Pipes
hi Diego!  Please enter a new bug for this as it is a different area of the application.  I'm going to close this one.  Thanks much for all your tremendous help!