Flyspray Cross Site Scripting Vulnerabilities (2008-02-11)

Release Date
Last Modified
Florian Schmitz
Flyspray 0.9.9 -
Vendor Status
The Flyspray project has released an updated version
Discovered by
Digital Security Research Group (DSecRG)


While Flyspray escapes all output variables by default in order to prevent this type of vulnerabilities, some more hidden problems have been found.

Problem with SQL errors

Flyspray is affected by a Cross Site scripting Vulnerability due missing escaping of SQL error messages. By including HTML code in a query and at the same time causing it to fail by submitting invalid data, an XSS hole can be exploited.

Problem in the task history attached to comments

There is an XSS problem in the task history attached to comments, since the application fails to sanitize the the old_value and new_value database fields for changed task summaries.

Proof of concept

The Flyspray team will not release an example exploit to the public.

Disclosure Timeline
  1. 08 February 2008 - DSecRG disclosed vulnerability at
  2. 11 February 2008 - Fix commited the SVN repository
  3. 24 February 2008 - Public disclosure.

We strongly recommend to upgrade to the new version.