[pydotorg-www] [Webmaster] Fwd: [PSRT] XSS DOM on python.org
Steve Holden
steve at holdenweb.com
Fri Jan 10 13:12:13 EST 2020
Hey Victor,
I'm sending this reply to pydotorg-www@, since it is they who handle
updating the web site.
webmaster@ is a common destination for such queries, but all we can do is
what I've just done in most cases.
Kind regards,
Steve Holden
On Fri, Jan 10, 2020 at 5:03 PM Victor Stinner <vstinner at python.org> wrote:
> Hi python.org webmasters,
>
> Would you mind mind to have a look? :-)
>
> Victor
>
> ---------- Forwarded message ---------
> De : Nikhil1R via PSRT <psrt at python.org>
> Date: ven. 10 janv. 2020 à 10:18
> Subject: [PSRT] XSS DOM on python.org
> To: security at python.org <security at python.org>
>
>
> [*] Summary:
> XSS DOM on https://www.python.org/
>
> [*] Steps To Reproduce:
>
> 1. Open https[://]spotify[.]com/us/
> 2. In going to the "Web Developer's" options and going to selecting
> "Inspector" option.
> 3. In inspector options Select the <img class="python-logo"
> src="/static/img/python-logo.png" alt="python™">
> 4. Select it as Edit as HTML from right clicking.
> 5. Replace the value in quotes "/static/img/python-logo.png" with the
> string "><svg onload=alert(1)> .
> 6. After that click outside the editing HTML box.
> 7. Hence, you will get the alert of XSS(DOM BASED ) being executed.
>
> [*] Impact:
> Source is controlled by user so they can execute the XSS for
> dangerous sink.
>
> [*] Supporting Material/References:
>
> 1. Screenshots attached is .png.
> 2. Browser: Latest Firefox 71.0(64 bit) for Linux & latest
> Firefox for windows.
> 3. OS: Linux,Windows.
>
> []Note: I'm only attaching the Screenshot for Linux but this i had
> also tested on Windows 10.[]
> -----------------------------
> Python Security Response Team
> Unsubscribe:
> https://mail.python.org/mailman/options/psrt/vstinner%40python.org
>
>
> --
> Night gathers, and now my watch begins. It shall not end until my death.
> _______________________________________________
> Webmaster mailing list
> Webmaster at python.org
> https://mail.python.org/mailman/listinfo/webmaster
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/pydotorg-www/attachments/20200110/2b040726/attachment.html>
More information about the pydotorg-www
mailing list