|
3.8.7 security concern I received this message today from one of my forum members. comments? I'm an internally facing security architect for an Internet company, but I'm also a forum member. While I was trying to post a message, I noticed that angle-brackets were not escaped in forum output, yielding an XSS Vulnerability. If you compose a post containing: (LEFT_ANGLE_BRACKET)img src="/" onerror="alert(1)"(RIGHT_ANGLE_BRACKET) and then preview it, the javascript executes. You'll need to convert the brackets to actual brackets and remove the parentheses to try it out. I did not (and will not) attempt to submit the test post, I just previewed it. If submitting the post works, this puts your users at risk. I'm not looking for credit here, I just want to be safe while participating in the forums. I want my fellow users to be safe too. |
| الساعة الآن 02:10 AM |
Powered by vBulletin® Copyright ©2000 - 2026, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.5.2 TranZ By
Almuhajir