Re: SASHA v0.2.0 Mutiple XSS



On Sun, Dec 18, 2011 at 02:08:19PM -0500, tom wrote:
# Exploit Title: SASHA v0.2.0 Mutiple XSS
# Date: 12/16/11
# Author: G13
# Software Link: http://sourceforge.net/projects/sasha/files/
# Version: 0.2.0
# Category: webapps (php)
#


##### Vulnerability #####

When adding a new course to the schedule, the application relies on
Client Side controls for input. This can easily be bypassed by
using an intercepting proxy or CSRF attack.


##### Affected Variables #####

section_title=[XSS]
instructors=[XSS]

##### POST Data #####

institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
subject=math&course=0028&section=test&start_time%5Bhour%5D=8&
start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
instructors%5B4%5D=&instructors%5B5%5D=&section_title=&step=1&next=Next

This seems to be a false-positive in some sense. Variable instructors has stored XSS vulnerability, but section_title doesn't. One can only use this XSS-vulnerability against own account so not an issue. Author of the program will still fix this issue. Tom in my opinion you are doing great work, but please contact developers before announcements. I know this is sometimes waste of time, but you should still do that. In my opinion this doesn't deserve CVE. Please also note that this software is not heavily used as far as developer knew so might be the best not to email bugtraq before fix/patch next time.

More information: https://sourceforge.net/apps/mantisbt/sasha/view.php?id=13

You can also reach them at #sasha-dev in Freenode IRC-network.

- Henri Salo