From: hamitcibo4@...
Date: 2018-01-25T11:12:10+00:00
Subject: [ruby-core:85110] [Ruby trunk Bug#14389] Reflected XSS

Issue #14389 has been updated by TheGirdap (Hamit Cibo).


hsbt (Hiroshi SHIBATA) wrote:
> Thank you for your report.
> 
> But I know that you already reported other places and shared the upstream information.
> 
>  * https://github.com/ruby/www.ruby-lang.org/issues/1734
>  * https://github.com/ruby/www.ruby-lang.org/issues/1735
>  * https://github.com/clear-code/rurema-search/issues/27
>  * security at ruby-lang.org
>  * hackerone
> 
> It's the issue of [rurema-search](https://github.com/clear-code/rurema-search) that is documentation searcher, NOT the ruby language.

gift ?

----------------------------------------
Bug #14389: Reflected XSS 
https://bugs.ruby-lang.org/issues/14389#change-69823

* Author: TheGirdap (Hamit Cibo)
* Status: Third Party's Issue
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: 
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Hello,

Reflected Xss found ..

https://docs.ruby-lang.org/ja/search/query:import/query:callback/%22%3E%3C/title%3Ealert(XSS%20A%C3%A7%C4%B1%C4%9F%C4%B1)%3C/script%3E%3E%3Cmarquee%3E%3Ch1%3EXSSa%C3%A7%C4%B1%C4%9F%C4%B1%3C/h1%3E%3C/marquee%3E%3D

result ;

ss:

search:

search box > ....import+words+payload => reflected xss

https://twitter.com/hamit_cibo

---Files--------------------------------
Ekran_Resmi_2018-01-24_01.09.36 (1).png (187 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>