Posted 6 years ago #
There is a major security hole in the comment system that allows XSS attacks. I've confirmed it on my default installation (with cocomment enabled). Is this a known issue? I'm gonna do some more testing with non-default installations but if you would like to help me on this, just comment a post with:
<script>alert(666);</script> and see if you get it interpreted.
thanks
bigo
Posted 6 years ago #
Doesn't work for me. The script tags get stripped out.
Posted 6 years ago #
This will only work for a registered user who has the "unfiltered_html" capability which is normally only given to the original admin user.
Posted 6 years ago #
you are right. It only works when I'm logged.
thanks!
This topic has been closed to new replies.
