XSS vulnerability in email verification code of AccountManagerPlugin 0.4.3 for Trac - initial reponse
mark at kingant.net
Wed Apr 2 18:23:20 EDT 2014
Hi Steffen. Thanks for emailing us and describing the problem.
code is only executed for the user performing the attack (i.e. for the
user who entered the email address). Is there a danger of the
On Wed, Apr 2, 2014 at 3:18 PM, Steffen Hoffmann <hoff.st at web.de> wrote:
> I've been notified this evening, that a xss vulnerability demonstration
> has been disclosed to the folks running the Pidgin developer site.
> ayoub nait lamine, the security researcher reporting this issue, did the
> attack against acct_mgr-0.4.3, revealing a single occasion, where user
> input, the email address typed in on registration time, is pushed
> unescaped for display in a confirmation message.
> The exploit happens with email verification enabled, but without any
> email input verification.
> If email verification is enabled and configured correctly without check
> email input, the forged email will be saved as demonstrated. The load of
> the next page right after first successful login of the user in question
> Note that regexp checking for username and email is part of the plugin
> (acct_mgr.register.RegExpCheck). This component comes with default
> values, that would have stopped the registration of such an insane
> string as email ("><img src=x onerror=prompt(1)>"), before the exploit
> could happen.
> I do strongly suggest including this check, what is the default,
> recommended configuration anyway. Please check and alter your
> configuration accordingly.
> register_check =
> acct_mgr.register.RegExpCheck = enabled
> Still I will release a fixed plugin version acct_mgr-0.4.4 shortly after
> this notification.
> Don't hesitate to contact me in case of further questions regarding this
> issue or other ones related to this plugin.
> Steffen Hoffmann
> Trac plugin maintainer
> security mailing list
> security at pidgin.im
More information about the security