Security update

Security update

Postby hackernr6 on Wed May 05, 2010 2:14 pm

This website is prone to XSS.

for example, if you create an account and go to the box for personal information. and you type there the following

Code: Select all
</textarea> <input type="button" value="clickme" onclick="javascript:alert('you clicked me');"/><textarea cols="60" rows="4" name="info">

It will add an extra button with javascript code behind it. This means that basically anyone can just create their own forms by using that field and can make them submit things that address the php code on the server side.

so basically what i'm saying is... you can get logins, usernames, passwords, email addresses, all that good stuff by simply writing your own form that runs on the client side, but speaks directly to the server side.
prtscr.png (73.11 KiB) Viewed 7391 times
Posts: 1
Joined: Wed May 05, 2010 2:05 pm

Re: Security update

Postby tails on Thu May 06, 2010 4:06 am

Thank you very much for the report!
We regard that as a serious matter, and will fix it as soon as possible..

We have fixed the page you reported and some others.
Please let us know if you find any other problematic pages.
Posts: 90
Joined: Thu Oct 23, 2008 12:10 pm

Re: Security update

Postby adum on Fri May 07, 2010 11:17 am

hi there, i appreciate you looking for XSS vulnerabilities. thanks!

however, in this case it's not a security problem: the only person you can attack is yourself. an XSS vulnerability only exists where the data one person can enter is visible to another. in this case, i believe i already filter the personal data when others look at it. if you can find a place where i don't, i'd love to see it, but the one you mentioned (and the others you changed, tails) were not problematic.
User avatar
Site Admin
Posts: 386
Joined: Tue Sep 30, 2008 5:09 pm

Re: Security update

Postby tails on Fri May 07, 2010 5:52 pm

Hmm, I think someone could steal your password if you followed a link in which a script was embedded.

Oh, I think I've found another security problem... I'll send you an e-mail later, Adum.
Posts: 90
Joined: Thu Oct 23, 2008 12:10 pm

Return to Suggestions

Who is online

Users browsing this forum: No registered users and 4 guests