[Bug 9754] New: Possible XSS exploit possibility

wine-bugs at winehq.org wine-bugs at winehq.org
Sun Sep 23 13:22:36 CDT 2007


http://bugs.winehq.org/show_bug.cgi?id=9754

           Summary: Possible XSS exploit possibility
           Product: WineHQ Apps Database
           Version: unspecified
          Platform: Other
               URL: http://appdb.winehq.org/objectManager.php?bIsQueue=false
                    &bIsRejected=false&sClass=application&iId=1369&sAction=s
                    howMoveChildren&sTitle=Could%20this%20be%20exploited?
        OS/Version: other
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: website-bugs
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: marco at harddisk.is-a-geek.org


While surfing the AppDB entry for GTA Vice City
(http://appdb.winehq.org/objectManager.php?sClass=application&iId=1369), I
found a link at the bottom of the page stating "Move child objects".
I clicked on it and found out that the URL contains a parameter sTitle, which
apparently sets the page title and can be set to any text I think of.

Good news is that obvious Javascript does not work, but I think it'd be easy
for a pro to develop a working XSS exploit.


-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the wine-bugs mailing list