Security Issue - XSS - CVE-2015-2796

[jaydipdave]

An attacker can pass this URL (with XSS payload) to a victim (user of ProjectPier) and can make the victim to perform some tasks or can infect the user. The vulnerability is XSS

http://www.prop.com/public/index.php?c=project&a=search&active_project=1&search_for=%3Cscript%3Ealert%28420%29%3B%3C%2Fscript%3E

The search_for parameter is not getting sanitized. You can use CVE-2015-2796 cve-id in your announcements when you fix this vulnerability.

Thanks, Jaydeep

[JonDeG]

Acknowledging receipt, thanks for reporting. Reporting it privately would have been appreciated.

[JonDeG]

Proposed fix committed, would appreciate someone verifying ASAP.

[jaydipdave]

Extremely sorry, I searched for "Private Message" option on github, but couldn't find it. So posted here.

I am verifying it now.

[jaydipdave]

Verified. Issue is fixed.

Thanks.

[JonDeG]

No problem, it is mitigated by the fact that the user has to be logged in and it turned out to be an easy fix. Also, did you also post this: https://github.com/Project-Pier/ProjectPier-Core/issues/29 ? That person never got back to me and I was wondering if it was the same issue. Thx.

[jaydipdave]

Nope, I didn't post #29. May be the same issue. By the way, I audited Project Pier for SQL and XSS but couldn't find anything other than this.

On Thu, Apr 2, 2015 at 8:10 PM, JonDeG notifications@github.com wrote:

No problem, it is mitigated by the fact that the user has to be logged in and it turned out to be an easy fix. Also, did you also post this: #29 https://github.com/Project-Pier/ProjectPier-Core/issues/29 ? That person never got back to me and I was wondering if it was the same issue. Thx.

— Reply to this email directly or view it on GitHub https://github.com/Project-Pier/ProjectPier-Core/issues/37#issuecomment-89088135 .