XSS vulnerability in email verification code of AccountManagerPlugin 0.4.3 for Trac - initial reponse

Mark Doliner mark at kingant.net
Thu Apr 3 01:21:31 EDT 2014 

FYI I enabled RegExpCheck for the TracAccountManager plugin via the
web admin interface.

On Wed, Apr 2, 2014 at 3:23 PM, Mark Doliner <mark at kingant.net> wrote:
> Hi Steffen. Thanks for emailing us and describing the problem.
>
> I'm curious... from what you described it sounds like the JavaScript
> code is only executed for the user performing the attack (i.e. for the
> user who entered the email address). Is there a danger of the
> JavaScript being executed for other Trac users? Like, is it possible
> for the malicious user to cause the JavaScript to be executed by an
> innocent user?
>
> On Wed, Apr 2, 2014 at 3:18 PM, Steffen Hoffmann <hoff.st at web.de> wrote:
>> Hello,
>>
>> I've been notified this evening, that a xss vulnerability demonstration
>> has been disclosed to the folks running the Pidgin developer site.
>>
>> ayoub nait lamine, the security researcher reporting this issue, did the
>> attack against acct_mgr-0.4.3, revealing a single occasion, where user
>> input, the email address typed in on registration time, is pushed
>> unescaped for display in a confirmation message.
>>
>> The exploit happens with email verification enabled, but without any
>> email input verification.
>>
>> If email verification is enabled and configured correctly without check
>> email input, the forged email will be saved as demonstrated. The load of
>> the next page right after first successful login of the user in question
>> will fire a confirmation message and trigger the JavaScript code.
>>
>> Note that regexp checking for username and email is part of the plugin
>> (acct_mgr.register.RegExpCheck). This component comes with default
>> values, that would have stopped the registration of such an insane
>> string as email ("><img src=x onerror=prompt(1)>"), before the exploit
>> could happen.
>>
>> I do strongly suggest including this check, what is the default,
>> recommended configuration anyway. Please check and alter your
>> configuration accordingly.
>>
>>
>> [account-manager]
>> register_check =
>> BasicCheck,BotTrapCheck,EmailCheck,RegExpCheck,UsernamePermCheck
>>
>> [components]
>> acct_mgr.register.RegExpCheck = enabled
>>
>>
>> Still I will release a fixed plugin version acct_mgr-0.4.4 shortly after
>> this notification.
>>
>> Don't hesitate to contact me in case of further questions regarding this
>> issue or other ones related to this plugin.
>>
>> Steffen Hoffmann
>> Trac plugin maintainer
>>
>>
>> _______________________________________________
>> security mailing list
>> security at pidgin.im
>> https://pidgin.im/cgi-bin/mailman/listinfo/security

More information about the security mailing list