Cross Site Scripting at TorProject Blog

GET parameter incorrectly filter GET query which allows attackers to execute JavaScript code which is called Cross Site Scripting.

https://blog.torproject.org/archive/1%3Cbody%20onload=alert%28666%29%3E/2013/11/,

Trac:
Username: patryk.bogdan@pentesters.pl

added component::webpages/blog priority::high reporter::patryk.bogdan@pentesters.pl resolution::fixed severity::normal status::closed type::defect labels

NoScript saved me, however unprotected browsers read the number of the beast (666). (Could be much worser)

Since some change in Trac settings I can't add someone else to CC or change the owner. Phobos would be "responsible" as far as I can tell.

the blog seems to run a very, very old version of drupal. maybe step one is to upgrade the blog. or scrap it for a modern blog platform.

Trac:
Status: new to assigned
Owner: Patryk Bogdan to phobos

Trac:
Status: assigned to new

Trac:
Owner: phobos to N/A
Status: new to assigned

Trac:
Status: assigned to new

Trac:
Username: mastertlion

stem-1.3.0.tar.bz2

Trac:
Username: mastertlion

Trac:
Username: mastertlion

Novo_a__Documento_de_texto.txt

Trac:
Username: mastertlion

Trac:
Username: mastertlion

mastertlion_site1_2015-01-01-16h20.zip

Trac:
Username: mastertlion

Moving to new Blog component

Trac:
Component: Website to Blog

Still not fixed?

Trac:
Severity: N/A to Normal
Keywords: xss blog torproject cross site scripting deleted, N/A added
Sponsor: N/A to N/A

the new blog went online, I guess this is fixed now, otherwise please reopen.

Trac:
Resolution: N/A to fixed
Reviewer: N/A to N/A
Status: new to closed

Moved closed tickets from Internal Services/Blog to Webpages/Blog

Trac:
Component: Internal Services/Blog to Webpages/Blog

closed