Re: [pydotorg-www] [Webmaster] Fwd: [PSRT] XSS DOM on python.org

Fri, 10 Jan 2020 10:12:43 -0800 

Hey Victor,

I'm sending this reply to pydotorg-www@, since it is they who handle
updating the web site.

webmaster@ is a common destination for such queries, but all we can do is
what I've just done in most cases.

Kind regards,
Steve Holden


On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner <vstin...@python.org> wrote:

> Hi python.org webmasters,
>
> Would you mind mind to have a look? :-)
>
> Victor
>
> ---------- Forwarded message ---------
> De : Nikhil1R via PSRT <p...@python.org>
> Date: ven. 10 janv. 2020 à 10:18
> Subject: [PSRT] XSS DOM on python.org
> To: secur...@python.org <secur...@python.org>
>
>
> [*] Summary:
> XSS DOM on https://www.python.org/
>
> [*] Steps To Reproduce:
>
> 1.  Open https[://]spotify[.]com/us/
> 2.  In going to the "Web Developer's" options and going to selecting
> "Inspector" option.
> 3.  In inspector options Select the <img class="python-logo"
> src="/static/img/python-logo.png" alt="python™">
> 4.  Select it as Edit as HTML from right clicking.
> 5.  Replace the value in quotes "/static/img/python-logo.png" with the
> string "><svg onload=alert(1)> .
> 6.  After that click outside the editing HTML box.
> 7.  Hence, you will get the alert of XSS(DOM BASED ) being executed.
>
> [*] Impact:
>           Source is controlled by user so they can execute the XSS for
> dangerous sink.
>
> [*] Supporting Material/References:
>
>          1. Screenshots attached is .png.
>          2. Browser: Latest Firefox 71.0(64 bit) for Linux & latest
> Firefox for windows.
>          3. OS: Linux,Windows.
>
> []Note: I'm only attaching the Screenshot for Linux but this i had
> also tested on Windows 10.[]
> -----------------------------
> Python Security Response Team
> Unsubscribe:
> https://mail.python.org/mailman/options/psrt/vstinner%40python.org
>
>
> --
> Night gathers, and now my watch begins. It shall not end until my death.
> _______________________________________________
> Webmaster mailing list
> webmas...@python.org
> https://mail.python.org/mailman/listinfo/webmaster
>

_______________________________________________
pydotorg-www mailing list
pydotorg-www@python.org
https://mail.python.org/mailman/listinfo/pydotorg-www

Reply via email to