freshmeat.net: XSS Attack due to improper comment filtering.

[Steve Kemp <steve () steve org uk>]

Freshmeat Comment Filtering Error
---------------------------------

  Freshmeat is a community driven website which serves as an index
 of free software projects.

  Each of the listed projects contains links to a website, download
 locations and other relevent information.
 
  The site is updated several times a day to include recent releases.


The Vulnerability
-----------------

  Each project page contains a collection of links and information 
 about it, as well as the ability for visitors to leave comments.

  Two forms of comments are allowed plain text, or HTML text.

  The attributes of the HTML are inadequately sanitized, allowing a 
 malicious commentor to create links which would execute arbitary
 Javascript.

  The following is an example of such a malicious link:
    
   <a href="http://foo.com/"; onMouseOver="alert(1);">foo.com</a>


Impact
------

  The site uses a session ID stored in a cookie to keep track of a
 users state.  If a user is logged in and clicks upon a link, (or
 moves over it depending on the code), then they could have their
 login credentials stolen.

        
The Fix
-------

  The site admins were informed of the details of the attack and had
 the problem patched 9 hours later.


Timeline
--------

  Site admins informed:  Thu, 25 Mar 2004 04:39:06 -0800 (PST)
  Site Fixed:            Thu, 25 Mar 2004 04:39:06 -0800 (PST)


Links
-----

  Online version of this text:

        http://www.steve.org.uk/Hacks/Freshmeat.html



Steve
--
# Debian Security Audit Project
http://www.shellcode.org/Audit/