[42142] in bugtraq
FogBugz Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (M.Neset KABAKLI)
Thu Jan 12 17:49:01 2006
Message-ID: <20060112110447.2917.qmail@mail.securityfocus.com>
From: "M.Neset KABAKLI" <neset@wakiza.com>
To: <bugtraq@securityfocus.com>
Date: Thu, 12 Jan 2006 13:15:03 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
I.Vulnerability
FogBugz Cross Site Scripting Vulnerability
II.Vendor
Fog Creek Software (www.fogcreek.com)
III.Affected Systems
- FogBugz (<= 4.029)
IV.About
FogBugz is a complete web based project management system for software
teams. Designed by Joel Spolsky of Joel on Software fame (www.fogcreek.com).
V.Description
An attacker is able to inject HTML and client-side script codes to FogBugz
login page by modifying dest variabe. An example crafted link can be found
below.
VI.Exploit
http://[fogbugz.example.com]/default.asp?pg=pgLogon&dest=[XSS]
VII.Vulnerability Status
- Vulnerability discovered on 2005-12-11.
- Vendor notified on 2005-12-13.
- Patch released on 2005-12-13.
VIII.Credits
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).
