Phabricator: XSS with Time-of-Day Format

2015-03-20T21:32:08
ID H1:52822
Type hackerone
Reporter candux
Modified 2015-04-19T21:58:26

Description

  • Go to your user preferences
  • Put the following into Time-of-Day Format (with the quote): '<\i\m\g \s\r\c=x \o\n\e\r\r\o\r=\a\l\e\r\t(\'X\S\S\')\>'
  • Open a repository (diffusion) -> XSS-Popup

The repository file-overview is the only place where I could see the XSS so far.

Because it's a user own preference, it is not easy to actually do something malicious in a real-world scenario. But it's definitely possible if you think hard enough about it :)

Cheers, David

mongoose