Flyspray Cross Site Scripting Vulnerabilities (2008-02-11)
- Release Date
- 2008-02-24
- Last Modified
- 2008-02-24
- Author
- Florian Schmitz </dd>
- Application
- Flyspray 0.9.9 - 0.9.9.4
- Risk
- Low
- Vendor Status
- The Flyspray project has released an updated version
- References
- <http://www.flyspray.org/devel/security/fsa3>
- Discovered by
- Digital Security Research Group (DSecRG)
#### Details
While Flyspray escapes all output variables by default in order to prevent this type of vulnerabilities, some more hidden problems have been found.
#### Problem with SQL errors
Flyspray is affected by a Cross Site scripting Vulnerability due missing escaping of SQL error messages. By including HTML code in a query and at the same time causing it to fail by submitting invalid data, an XSS hole can be exploited.
#### Problem in the task history attached to comments
There is an XSS problem in the task history attached to comments, since the application fails to sanitize the the *old_value* and *new_value* database fields for changed task summaries.
##### Proof of concept
The Flyspray team will not release an example exploit to the public.
##### Disclosure Timeline
1. 08 February 2008 - DSecRG disclosed vulnerability at security@flyspray.org
2. 11 February 2008 - Fix committed the SVN repository
3. 24 February 2008 - Public disclosure.
##### Recommendation
We strongly recommend to upgrade to the new version.