Please log in to bookmark issues
#2887 –
Confirmed
Description
Users can store malicious code in the database or any other persistent media, by entering JavaScript code in different parameters such as “fs[resolution][o]”, “fs[issuetype][o]”, “fs[issuetype][v]”, etc. when a new search is saved or modified. The inserted code will be executed every time the data is retrieved by another user.
How to reproduce
1. Perform any search.
2. Once the search has been done, apply a filter, in this case, select the “Resolution” filter.
3. Click on the “Save” icon and select the “Save search filters” option.
4. Fill out the fields with any string and click on the “Save search” button.
5. Intercept the “/issue/save/search” request with any proxy tool such as “Fiddler” and
in the body, look for the “fs%5Bresolution%5D%5Bv%5D” and
“fs%5Bresolution%5D%5Bo%5D” parameters.
6. Add the following script in the previous parameters: "><img src=a onerror=alert(1)>.
7. Click on the “Run to Completion” button to proceed with the application’s workflow.
8. As you can see, the search has been saved and the inject scrips were exploited; copy
the URL displayed at the address bar.
9. Log in as another user and load the saved search url.
10. As you can see, the script is exploited again due to it is stored in the database and also it can be accessed by other users.
2. Once the search has been done, apply a filter, in this case, select the “Resolution” filter.
3. Click on the “Save” icon and select the “Save search filters” option.
4. Fill out the fields with any string and click on the “Save search” button.
5. Intercept the “/issue/save/search” request with any proxy tool such as “Fiddler” and
in the body, look for the “fs%5Bresolution%5D%5Bv%5D” and
“fs%5Bresolution%5D%5Bo%5D” parameters.
6. Add the following script in the previous parameters: "><img src=a onerror=alert(1)>.
7. Click on the “Run to Completion” button to proceed with the application’s workflow.
8. As you can see, the search has been saved and the inject scrips were exploited; copy
the URL displayed at the address bar.
9. Log in as another user and load the saved search url.
10. As you can see, the script is exploited again due to it is stored in the database and also it can be accessed by other users.
Attachments0
Important details
Times and dates
-
Estimated time No time estimated
People involved
Other details
-
-
-
Not determined
Post a comment and get things done