- **status**: validation --> closed - **private**: Yes --> No
--- ** [tickets:#6889] XSS on /p/add_project/** **Status:** closed **Labels:** support p1 security **Created:** Sat Nov 16, 2013 02:34 AM UTC by Chris Tsai **Last Updated:** Mon Nov 18, 2013 03:46 PM UTC **Owner:** Dave Brondsema [forge:site-support:#5930] >If yuo copy and past this payload: `"><img src=x onerror=prompt(1);>` at the >page of soruceforge/p/add_Project in the two forms, you got a XSS!! (CROSS >SITE SCRIPTING)! I HOPE THAT SOURCEFORGE ACKNOWLEDGE ME.. >-Simon90_Italy. For more information:[email protected] Screenshot: https://sourceforge.net/p/forge/site-support/5930/attachment/03b0f-c0aebbf2-ce95-4017-a427-0b215d98bfc2.png Not sure how exploitable that actually is, but following his instructions anyway I was able to reproduce that. --- Sent from sourceforge.net because [email protected] is subscribed to https://sourceforge.net/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
