http://bugs.winehq.org/show_bug.cgi?id=9754
Summary: Possible XSS exploit possibility Product: WineHQ Apps Database Version: unspecified Platform: Other URL: http://appdb.winehq.org/objectManager.php?bIsQueue=false &bIsRejected=false&sClass=application&iId=1369&sAction=s howMoveChildren&sTitle=Could%20this%20be%20exploited? OS/Version: other Status: UNCONFIRMED Severity: major Priority: P2 Component: website-bugs AssignedTo: wine-bugs@winehq.org ReportedBy: marco@harddisk.is-a-geek.org
While surfing the AppDB entry for GTA Vice City (http://appdb.winehq.org/objectManager.php?sClass=application&iId=1369), I found a link at the bottom of the page stating "Move child objects". I clicked on it and found out that the URL contains a parameter sTitle, which apparently sets the page title and can be set to any text I think of.
Good news is that obvious Javascript does not work, but I think it'd be easy for a pro to develop a working XSS exploit.
http://bugs.winehq.org/show_bug.cgi?id=9754
--- Comment #1 from Marco Schuster marco@harddisk.is-a-geek.org 2007-09-29 03:36:09 --- Even after #9755 got fixed and I get the error message "Insufficient privileges", I am still able to change the title via sTitle in the URL.
http://bugs.winehq.org/show_bug.cgi?id=9754
Chris Morgan cmorgan@alum.wpi.edu changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cmorgan@alum.wpi.edu
--- Comment #2 from Chris Morgan cmorgan@alum.wpi.edu 2007-10-16 21:42:41 --- (In reply to comment #1)
Even after #9755 got fixed and I get the error message "Insufficient privileges", I am still able to change the title via sTitle in the URL.
The title is generated upon page refresh using the information in the url. As far as I can tell you are only changing the title that you see on the page. I'm not sure that this presents a security concern.
Chris
http://bugs.winehq.org/show_bug.cgi?id=9754
Alexander Nicolaysen Sørnes alex@thehandofagony.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |alex@thehandofagony.com Status|UNCONFIRMED |RESOLVED Resolution| |INVALID
--- Comment #3 from Alexander Nicolaysen Sørnes alex@thehandofagony.com 2007-10-18 03:56:06 --- I don't think it does either, but thanks for alerting us of possible issues.
http://bugs.winehq.org/show_bug.cgi?id=9754
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #4 from Austin English austinenglish@gmail.com 2008-11-17 13:11:21 --- Closing.
-
wine-bugs@winehq.org