You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following low level security issue has been reported which could allow session data to be stolen in the unlikely event the browsers user agent is malformed with malicious code. This is considered to be a very low level threat and the chances of actual exploitation are expected to be slim to none.
Thanks goes to Ilca Lucian for the following report.
Description
This sub domain is vulnerable to an client side security issue named Cross-Site-Scripting , because the value of the untrusted input is render back to the user.
This can cause :
-authentication/cookie thief
-phishing
-malicious application installation in the shop.
In this demonstration I used a XSS vector that will echo the cookie in the main page in which the vector is executed thru the "search" parameter.
This client side security issue was tested in a controlled environment with the following configuration:
OS: Debian Wheezy
Browser: Mozilla Firefox & Google Chrome
Remediation
My remediation for this kind of problem is: to parameterize the untrusted input so it is not confused as its own javascript code and executes.
The text was updated successfully, but these errors were encountered:
The following low level security issue has been reported which could allow session data to be stolen in the unlikely event the browsers user agent is malformed with malicious code. This is considered to be a very low level threat and the chances of actual exploitation are expected to be slim to none.
Thanks goes to Ilca Lucian for the following report.
The text was updated successfully, but these errors were encountered: