Flyspray is proudly sponsored by The Veloz Group
Table of Contents
Flyspray Security Announcement 3
Flyspray Cross Site Scripting Vulnerabilities (2008-02-11)
| Release Date | 2008-02-24 |
|---|---|
| Last Modified | 2008-02-24 |
| Author | Florian Schmitz <floele at flyspray dot org> |
| Application | Flyspray 0.9.9 - 0.9.9.4 |
| Risk | Low |
| Vendor Status | The Flyspray project has released an updated version |
| References | http://www.flyspray.org/fsa:3 |
| Discovered by | Digital Security Research Group (DSecRG) |
Details:
While Flyspray escapes all output variables by default in order to prevent this type of vulnerabilities, some more hidden problems have been found.
Problem with SQL errors
Flyspray is affected by a Cross Site scripting Vulnerability due missing escaping of SQL error messages. By including HTML code in a query and at the same time causing it to fail by submitting invalid data, an XSS hole can be exploited.
Problem in the task history attached to comments
There is an XSS problem in the task history attached to comments, since the application fails to sanitize the the old_value and new_value database fields for changed task summaries.
Proof of concept:
The Flyspray team will not release an example exploit to the public.
Disclosure Timeline:
08. February 2008 - DSecRG disclosed vulnerability at security@flyspray.org 11. February 2008 - Fix commited the SVN repository 24, February 2008 - Public disclosure.
Recommendation:
We strongly recommend to upgrade to the new version.
