Freshmeat Comment Filtering Error --------------------------------- Freshmeat is a community driven website which serves as an index of free software projects. Each of the listed projects contains links to a website, download locations and other relevent information. The site is updated several times a day to include recent releases. The Vulnerability ----------------- Each project page contains a collection of links and information about it, as well as the ability for visitors to leave comments. Two forms of comments are allowed plain text, or HTML text. The attributes of the HTML are inadequately sanitized, allowing a malicious commentor to create links which would execute arbitary Javascript. The following is an example of such a malicious link: foo.com Impact ------ The site uses a session ID stored in a cookie to keep track of a users state. If a user is logged in and clicks upon a link, (or moves over it depending on the code), then they could have their login credentials stolen. The Fix ------- The site admins were informed of the details of the attack and had the problem patched 9 hours later. Timeline -------- Site admins informed: Thu, 25 Mar 2004 04:39:06 -0800 (PST) Site Fixed: Thu, 25 Mar 2004 04:39:06 -0800 (PST) Links ----- Online version of this text: http://www.steve.org.uk/Hacks/Freshmeat.html Steve -- # Debian Security Audit Project http://www.shellcode.org/Audit/