Project

General

Profile

Forums » Open discussion »

[Latest versions of Redmine] High-severity type vulnerabilities have been discovered

Added by calm calm almost 6 years ago

Vulnerability description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

The vulnerability affects https://***.com/news/preview , news%5Bdescription%5D
Discovered by Scripting (XSS.script)


Attack details
URL encoded POST input news%5Bdescription%5D was set to !!!!%5B%5B%5D%5D%5B%5B%5D%5D%3Cpre%3E%0D%0A%3Cpre%3E%0D%0A%3C%2Fpre%3E%0D%0A%23+%23+*+h3.+%40%40%40%40----%2B%2B%2B%2B____****%0D%0A%3C%2Fpre%3E<% contenteditable onresize=qzeW(9507)>

The input is reflected inside a text element.


Replies (1)

RE: high-severity type vulnerabilities have been discovered on Redmine - Added by Holger Just almost 6 years ago

The text you have provided as a PoC doesn't seem to result in a XSS (that is, the unexpected execution of Javascript based on user input).

Even after unescaping the input and adding it directly as the description didn't make any difference. There is nothing unexpected here. All characters which might be interpreted as being part of HTML tags are properly escaped.

The unescaped raw content from your PoC looks like this:

!!!![[]][[]]<pre>
<pre>
</pre>
# # * h3. @@@@----++++____****
</pre><% contenteditable onresize=qzeW(9507)>

Please verify that you are actually able to execute JavaScript in browsers due to missing escaping. Please also check the Redmine version, the selected text formatting and whether any plugins are installed.

In any case, both for this report and any future findings you might have, if you believe you have found a security issue please do not disclose it publically on the forums before the developers had a chance to investigate this issue and release a fix for it. Please report your findings to the project by sending an email to: security(at)redmine.org instead.

    (1-1/1)