FogBugz Cross Site Scripting Vulnerability Jan 12 2006 11:15AM
M.Neset KABAKLI (neset wakiza com)
I.Vulnerability
FogBugz Cross Site Scripting Vulnerability

II.Vendor
Fog Creek Software (www.fogcreek.com)

III.Affected Systems
- FogBugz (<= 4.029)

IV.About
FogBugz is a complete web based project management system for software
teams. Designed by Joel Spolsky of Joel on Software fame (www.fogcreek.com).

V.Description
An attacker is able to inject HTML and client-side script codes to FogBugz
login page by modifying dest variabe. An example crafted link can be found
below.

VI.Exploit
http://[fogbugz.example.com]/default.asp?pg=pgLogon&dest=[XSS]

VII.Vulnerability Status
- Vulnerability discovered on 2005-12-11.
- Vendor notified on 2005-12-13.
- Patch released on 2005-12-13.

VIII.Credits
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus