Discovered XSS vulnerabilities in The Bug Genie
Earlier this year, I discovered multiple cross-site scripting (XSS) vulnerabilities in The Bug Genie, an open source issue tracking and project management application.
The Vulnerabilities
For reference, the vulnerabilities were assigned CVE-2013-1760. Proper and timely disclosure practices were coordinated through the Trustwave SpiderLabs' security advisory team.
The Bug Genie version 3.2.4 and earlier, suffer from multiple persistent, and reflected XSS vulnerabilities in different areas of the application. I will not dive into details for each finding, as they are mentioned in the references below.
One of the unfixed issues was related to not properly sanitizing output that was rendered during error messages:
Examples:
Could not validate against the OpenID provider: $message
Could not connect to $url
Modifying the openid_identifier
parameter's value to arbitrary JavaScript caused the application to throw the error exception:
Could not connect to http://<script>prompt(1)</script>
Resulting in reflected cross-site scripting. The remaining findings included:
- Wiki
description
parameter XSS - Issues
description
parameter XSS - Issues
uploader_file
parameter persistent XSS - Dashboard
HTTP Referer Header
reflected XSS - Account
HTTP Referer Header
reflected XSS - Login
openid_identifier
parameter XSS - File Attachments persistent XSS
The Patches
After disclosing the security issues to The Bug Genie team, version 3.2.5 of the application was released to address them. Unfortunately, I found out that not all of the findings were properly addressed. As a result, I hunted down the remaining two unfixed issues, and submitted a pull request to merge my fixes to their codebase.
The following are the two patches that I submitted to address the openid_identifier
and timeline
XSS vulnerabilities:
Filename: core/classes/LightOpenID.classes.php
protected function request_streams($url, $method='GET', $params=array())
{
if(!$this->hostExists($url)) {
- throw new ErrorException("Could not connect to $url.", 404);
+ throw new ErrorException("Could not connect to ".htmlentities($url), 404);
}
Filename: modules/main/templates/_logitem.inc.php
if (isset($include_details) && include_details)
{
- echo < div class="timeline_inline_details">'.n12br($issue->getDescription()).'< /div>';
+ echo < div class="timeline_inline_details">'.n12br(htmlentities($issue->getDescription())).'< /div>';
}