Redmine <= 0.8.7 UTF-7 XSS Vulnerability

2009-12-19T00:00:00
ID SSV:18612
Type seebug
Reporter Root
Modified 2009-12-19T00:00:00

Description

No description provided by source.

                                        
                                            
                                                Redmine <= 0.8.7 UTF-7 XSS Vulnerability
Discovered by: p0deje (http://p0deje.blogspot.com)
Application: http://www.redmine.org/wiki/redmine/Download
SA: -
Date: 01.12.2009
Versions affected: <= 0.8.7
Vulnerability: Cross-site Scripting
Platform: Ruby (Ruby On Rails)
Description: Redmine doesn't properly define page character encoding, placing <title> prior to <meta>. Thus it may be possible to create a page with encoded to UTF-7 JavaScript in title and it will be executed in Internet Explorer 7/8 with Auto-Select encoding on

Proof-of-Concept:
1. Create new issue with title "+ADw-script+AD4-alert('XSS');+ADw-/script+AD4-" (without quotes)
2. Open it in Internet Explorer 7/8
3. Set Encoding options to Auto-Select

Result:
JavaScript with alert will be executed