Bug #7552 Eventum Cross Site Scripting (XSS)
Submitted: 28 Dec 2004 6:34 Modified: 30 Dec 2004 14:35
Reporter: sullo Email Updates:
Status: Closed Impact on me:
None 
Category:Eventum Severity:S2 (Serious)
Version:1.3.1 OS:Any (All)
Assigned to: Joao Prado Maia CPU Architecture:Any

[28 Dec 2004 6:34] sullo 
Description:
Multiple PHP scripts in Eventum do not filter user-supplied input before display in HTML pages. This allows for possible cross site scripting (XSS) attacks against other users of the web site or Eventum system.

Files/variables:
- index.php: email field
- forgot_password.php: email field 
- preferences.php: full_name, sms_email, list_refresh_rate, emails_refresh_rate fields
- projects.php: title, outgoing_sender_name fields

How to repeat:
Load the following URLs:
index.php: index.php?err=3&email=\"<script>alert(document.cookie)</script>
forgot_password.php: forgot_password.php?email="><script>alert(document.cookie)</script>

preferences.php, enter the value
   "><script>alert(document.cookie)</script>
in the following fields: full_name, sms_email, list_refresh_rate, emails_refresh_rate

in projects.php, enter the value
   "><script>alert(document.cookie)</script>
in the following fields: title, outgoing_sender_name

Suggested fix:
Filter all tainted user input before display.
[30 Dec 2004 14:33] Joao Prado Maia 
These problems were just fixed in the bitkeeper version of Eventum, and we will release a new version soon which will contain these fixes.

Thanks for the report.