XSS vulnerability in email verification code of AccountManagerPlugin 0.4.3 for Trac - initial reponse

[Steffen Hoffmann]

Hello,

I've been notified this evening, that a xss vulnerability demonstration
has been disclosed to the folks running the Pidgin developer site.

ayoub nait lamine, the security researcher reporting this issue, did the
attack against acct_mgr-0.4.3, revealing a single occasion, where user
input, the email address typed in on registration time, is pushed
unescaped for display in a confirmation message.

The exploit happens with email verification enabled, but without any
email input verification.

If email verification is enabled and configured correctly without check
email input, the forged email will be saved as demonstrated. The load of
the next page right after first successful login of the user in question
will fire a confirmation message and trigger the JavaScript code.

Note that regexp checking for username and email is part of the plugin
(acct_mgr.register.RegExpCheck). This component comes with default
values, that would have stopped the registration of such an insane
string as email ("><img src=x onerror=prompt(1)>"), before the exploit
could happen.

I do strongly suggest including this check, what is the default,
recommended configuration anyway. Please check and alter your
configuration accordingly.


[account-manager]
register_check =
BasicCheck,BotTrapCheck,EmailCheck,RegExpCheck,UsernamePermCheck

[components]
acct_mgr.register.RegExpCheck = enabled


Still I will release a fixed plugin version acct_mgr-0.4.4 shortly after
this notification.

Don't hesitate to contact me in case of further questions regarding this
issue or other ones related to this plugin.

Steffen Hoffmann
Trac plugin maintainer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3886 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20140403/00543acd/attachment.bin>