XSS vulnerability in email verification code of AccountManagerPlugin 0.4.3 for Trac - initial reponse
hoff.st at web.de
Wed Apr 2 18:18:12 EDT 2014
I've been notified this evening, that a xss vulnerability demonstration
has been disclosed to the folks running the Pidgin developer site.
ayoub nait lamine, the security researcher reporting this issue, did the
attack against acct_mgr-0.4.3, revealing a single occasion, where user
input, the email address typed in on registration time, is pushed
unescaped for display in a confirmation message.
The exploit happens with email verification enabled, but without any
email input verification.
If email verification is enabled and configured correctly without check
email input, the forged email will be saved as demonstrated. The load of
the next page right after first successful login of the user in question
Note that regexp checking for username and email is part of the plugin
(acct_mgr.register.RegExpCheck). This component comes with default
values, that would have stopped the registration of such an insane
string as email ("><img src=x onerror=prompt(1)>"), before the exploit
I do strongly suggest including this check, what is the default,
recommended configuration anyway. Please check and alter your
acct_mgr.register.RegExpCheck = enabled
Still I will release a fixed plugin version acct_mgr-0.4.4 shortly after
Don't hesitate to contact me in case of further questions regarding this
issue or other ones related to this plugin.
Trac plugin maintainer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3886 bytes
Desc: S/MIME Cryptographic Signature
More information about the security