XSS security flaw

  • Resolved privateboxnz

    (@privateboxnz)


    9 years, 8 months ago

    The software does not sufficiently validate, filter, escape, and encode user-controllable input before it is placed in output that is used as a web page that is served to other users.

    Example submitted data to get the error:
    submitted=Y&rRating=5&rName=%27+onerror%3D%27new+dd4f47e67c209667613c1d7d5cc9a1d2%3B%2F%2F%22+onerror%3D%22new+dd4f47e67c209667613c1d7d5cc9a1d2%3B&rEmail=&rText=

    Basically you can insert javascript on to a persons website using your plugin.

    For more info you can see http://cwe.mitre.org/data/definitions/79.html

    Please fix!

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Nuanced Media

    (@nuanced-media)

    9 years, 8 months ago

    privateboxnz,

    I am well aware of what cross site scripting is, I honestly thought I had set up preventative measures for this type of attack. I will make an effort to patch any remaining vulnerabilities quickly. I would greatly appreciate it if you could provide me with more detail as to how you got this injection working. If you could please email me at plugins@nuancedmedia.com, I would greatly appreciate it.

    Thanks,
    Charlie Maxwell
    [NM_Developer]

    Thread Starter privateboxnz

    (@privateboxnz)

    9 years, 7 months ago

    Right. So I went back to my PCI scanning provider and they agreed. No security hole here!

    Well done.

    Sorry for the bother!

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘XSS security flaw’ is closed to new replies.

Tags