http://bugs.winehq.org/show_bug.cgi?id=9754 Summary: Possible XSS exploit possibility Product: WineHQ Apps Database Version: unspecified Platform: Other URL: http://appdb.winehq.org/objectManager.php?bIsQueue=false &bIsRejected=false&sClass=application&iId=1369&sAction=s howMoveChildren&sTitle=Could%20this%20be%20exploited? OS/Version: other Status: UNCONFIRMED Severity: major Priority: P2 Component: website-bugs AssignedTo: wine-bugs(a)winehq.org ReportedBy: marco(a)harddisk.is-a-geek.org While surfing the AppDB entry for GTA Vice City (http://appdb.winehq.org/objectManager.php?sClass=application&iId=1369), I found a link at the bottom of the page stating "Move child objects". I clicked on it and found out that the URL contains a parameter sTitle, which apparently sets the page title and can be set to any text I think of. Good news is that obvious Javascript does not work, but I think it'd be easy for a pro to develop a working XSS exploit. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.