WeBid Bug Tracking

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000245WeBidAuctionspublic2011-03-21 05:092012-12-13 16:19
ReporterStudentExchange 
Assigned To 
Priority@0@SeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.0.1 
Target VersionFixed in Version1.0.3 
Summary0000245: Script injection vunerability
DescriptionI have noticed that some fields are not properly validated for content, therefore allowing a user to potentially insert malicious scripting to a site from the front end. I tested this by submitting a simple JavaScript alert into a title field of the "sell and item" page instead of the appropriate content. Upon submitting the page the JavaScript alert was in fact executed with a pop-up message.
TagsNo tags attached.
import_id247
Thread
Attached Files

- Relationships

-  Notes
(0000613)
Justin Weeks (viewer)
2011-03-31 05:30
edited on: 1970-01-01 00:00

Can confirm this. Modified code to pipe all data trough http://htmlpurifier.org/[/url] [^] library. Where do I send patch?
(0000614)
Box Lot (reporter)
2011-03-31 18:46
edited on: 1970-01-01 00:00

Trusting that this is the case I would say for once the Priority set is low.

This is a Priority 1 issue as are all vulnerability issues.

Thanks for testing and posting this one guys.
(0000615)
renlok (administrator)
2011-04-01 13:55
edited on: 1970-01-01 00:00

to [email]admin@webidsupport.com[/email]
(0000617)
Box Lot (reporter)
2011-04-03 05:38
edited on: 2011-04-03 05:38

Might not go without saying guys so - retest aggressively please!

Thanks for quick response to this one Renlok!
(0000707)
grandpha (reporter)
2011-05-08 00:45
edited on: 1970-01-01 00:00

I'm using 1.0.2 and it looks like someone keeps messing with my site . At first I thought it is a webid error but looks like someone is injecting a code into my php files. There is a post with all the errors here :
http://www.webidsupport.com/forums/showthread.php?3615-Weird-error.&p=18324#post18324[/url] [^]

- Issue History
Date Modified Username Field Change
2015-04-01 13:17 renlok New Issue
2015-04-01 13:17 renlok import_id => 247
2015-04-01 13:17 renlok Date Submitted 2015-04-01 13:17 => 2011-03-21 05:09
2015-04-01 13:17 renlok Last Update 2015-04-01 13:17 => 2012-12-13 16:19


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker