XSS vulnerability in email verification code of AccountManagerPlugin 0.4.3 for Trac - initial reponse

Mark Doliner mark at kingant.net
Wed Apr 2 18:23:20 EDT 2014


Hi Steffen. Thanks for emailing us and describing the problem.

I'm curious... from what you described it sounds like the JavaScript
code is only executed for the user performing the attack (i.e. for the
user who entered the email address). Is there a danger of the
JavaScript being executed for other Trac users? Like, is it possible
for the malicious user to cause the JavaScript to be executed by an
innocent user?

On Wed, Apr 2, 2014 at 3:18 PM, Steffen Hoffmann <hoff.st at web.de> wrote:
> Hello,
>
> I've been notified this evening, that a xss vulnerability demonstration
> has been disclosed to the folks running the Pidgin developer site.
>
> ayoub nait lamine, the security researcher reporting this issue, did the
> attack against acct_mgr-0.4.3, revealing a single occasion, where user
> input, the email address typed in on registration time, is pushed
> unescaped for display in a confirmation message.
>
> The exploit happens with email verification enabled, but without any
> email input verification.
>
> If email verification is enabled and configured correctly without check
> email input, the forged email will be saved as demonstrated. The load of
> the next page right after first successful login of the user in question
> will fire a confirmation message and trigger the JavaScript code.
>
> Note that regexp checking for username and email is part of the plugin
> (acct_mgr.register.RegExpCheck). This component comes with default
> values, that would have stopped the registration of such an insane
> string as email ("><img src=x onerror=prompt(1)>"), before the exploit
> could happen.
>
> I do strongly suggest including this check, what is the default,
> recommended configuration anyway. Please check and alter your
> configuration accordingly.
>
>
> [account-manager]
> register_check =
> BasicCheck,BotTrapCheck,EmailCheck,RegExpCheck,UsernamePermCheck
>
> [components]
> acct_mgr.register.RegExpCheck = enabled
>
>
> Still I will release a fixed plugin version acct_mgr-0.4.4 shortly after
> this notification.
>
> Don't hesitate to contact me in case of further questions regarding this
> issue or other ones related to this plugin.
>
> Steffen Hoffmann
> Trac plugin maintainer
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security


More information about the security mailing list