Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] [XSS] Script XSS Pada Form Menu / Nama Desa #1989

Closed
mugi789 opened this issue Mar 24, 2019 · 1 comment

Comments

@mugi789
Copy link

@mugi789 mugi789 commented Mar 24, 2019

Bagaimana alurnya sampai muncul masalah?

  1. Login http://belajar.opendesa.id/index.php/siteman
    gambar

  2. Lanjut ke page http://belajar.opendesa.id/index.php/menu/form/1 > Tambah Menu Baru
    gambar

  3. Isi kata2 <script>alert("Apakah Ini Bug XSS ?")</script> pd kolom Nama > pilih jenis link Artikel Status > lalu klik Simpan
    gambar

  4. Dan ini yg akan terjadi
    gambar

Seperti apa yang diharapkan?

Saya blm bisa jawab, dikarenakan saya sendiri belum paham soal javascipt ataupun XSS

Apa yang terjadi?

Masih bisa menambahkan script xss pd form nama di halaman menu

Informasi tambahan

Ini penampakan pd halaman utama http://belajar.opendesa.id/index.php/first/
gambar

Tambahan

Dan ini bug pada form Nama Desa
http://belajar.opendesa.id/index.php/hom_desa/konfigurasi
gambar
gambar

Tanya Jawab
Versi OpenSID 19.03-pasca
Versi PHP
System operasi
@mugi789 mugi789 changed the title [BUG] [XSS] Script XSS Pada Form Menu [BUG] [XSS] Script XSS Pada Form Menu / Nama Desa Mar 24, 2019
eddieridwan added a commit that referenced this issue Mar 28, 2019
…ah memasukkan html pada setting di Pengaturan Aplikasi. [security-fix]
@eddieridwan eddieridwan added this to SUDAH DI MASTER in Rilis yang sedang dikerjakan Mar 28, 2019
@eddieridwan

This comment has been minimized.

Copy link
Collaborator

@eddieridwan eddieridwan commented Mar 28, 2019

Sudah dicommit ke master

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
2 participants
You can’t perform that action at this time.