FogBugzXSS.txt

2006-01-15T00:00:00
ID PACKETSTORM:43064
Type packetstorm
Reporter M.Neset KABAKLI
Modified 2006-01-15T00:00:00

Description

                                        
                                            `I.Vulnerability  
FogBugz Cross Site Scripting Vulnerability  
  
  
II.Vendor  
Fog Creek Software (www.fogcreek.com)  
  
  
III.Affected Systems  
- FogBugz (<= 4.029)  
  
  
IV.About  
FogBugz is a complete web based project management system for software  
teams. Designed by Joel Spolsky of Joel on Software fame (www.fogcreek.com).  
  
  
V.Description  
An attacker is able to inject HTML and client-side script codes to FogBugz  
login page by modifying dest variabe. An example crafted link can be found  
below.  
  
  
VI.Exploit  
http://[fogbugz.example.com]/default.asp?pg=pgLogon&dest=[XSS]  
  
  
VII.Vulnerability Status  
- Vulnerability discovered on 2005-12-11.  
- Vendor notified on 2005-12-13.  
- Patch released on 2005-12-13.  
  
  
VIII.Credits  
M.Neset KABAKLI, Wakiza Software Technologies (www.wakiza.com).  
  
  
  
`