Re: SASHA v0.2.0 Mutiple XSS

[Henri Salo <henri () nerv fi>]

On Sun, Dec 18, 2011 at 02:08:19PM -0500, tom wrote:
> # Exploit Title: SASHA v0.2.0 Mutiple XSS
> # Date: 12/16/11
> # Author: G13
> # Software Link: http://sourceforge.net/projects/sasha/files/
> # Version: 0.2.0
> # Category: webapps (php)
> #
>
>
> ##### Vulnerability #####
>
> When adding a new course to the schedule, the application relies on
> Client Side controls for input.  This can easily be bypassed by
> using an intercepting proxy or CSRF attack.
>
>
> ##### Affected Variables #####
>
> section_title=[XSS]
> instructors=[XSS]
>
> ##### POST Data #####
>
> institution=uvm&semester%5Bseason%5D=09&semester%5Byear%5D=2011&schedule_type=0&
> subject=math&course=0028&section=test&start_time%5Bhour%5D=8&
> start_time%5Bminute%5D=0&start_time%5Bmeridiem%5D=AM&end_time%5Bhour%5D=9&
> end_time%5Bminute%5D=0&end_time%5Bmeridiem%5D=AM&parent_schedule_id=&
> instructors%5B0%5D=&instructors%5B1%5D=&instructors%5B2%5D=&instructors%5B3%5D=&
> instructors%5B4%5D=&instructors%5B5%5D=&section_title=&step=1&next=Next

This seems to be a false-positive in some sense. Variable instructors has stored XSS vulnerability, but section_title 
doesn't. One can only use this XSS-vulnerability against own account so not an issue. Author of the program will still 
fix this issue. Tom in my opinion you are doing great work, but please contact developers before announcements. I know 
this is sometimes waste of time, but you should still do that. In my opinion this doesn't deserve CVE. Please also note 
that this software is not heavily used as far as developer knew so might be the best not to email bugtraq before 
fix/patch next time.

More information: https://sourceforge.net/apps/mantisbt/sasha/view.php?id=13

You can also reach them at #sasha-dev in Freenode IRC-network.

- Henri Salo