ReviewBoard XSS Vulnerabilities

2013.08.10
Credit: Craig Young
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

ReviewBoard (www.reviewboard.org) aims to 'take the pain out of code review'. Integration with source control makes it imperative to maintain proper protections on this server. I have worked with the developers to resolve multiple XSS conditions and harden web server configurations. The XSS conditions are resolved by upgrading to the latest release but the arguably more important fix (configuration change) must be manually applied to existing sites. ReviewBoard admins are advised to upgrade and review your Apache/nginx configurations to avoid access control bypass, code execution, and xss. I have prepared a blog post to explain the issues and provide proof-of-concept/reproduction information: http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard/ Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets

References:

http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top