Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix XSS from open bug bounty from slack message 01 #902

Conversation

sdennler
Copy link
Collaborator

1. Why is this change necessary?

XSS found over bug bounty. Cases messaged in Slack.

2. What does this change do, exactly?

  1. Encode the values in the target URL for the login forms.

3. Describe each step to reproduce the issue or behaviour.

See bug bounty submissions.

  1. https://www.opencaching.de/editcache.php?cacheid=">
  2. https://www.opencaching.de/editcache.php?cacheid=FUZZ/fw/syslogViewer.do?port=%22%3E%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E

4. Please link to the relevant issues (if any).

5. Checklist

  • I have written tests and verified that they fail without my change
  • I have squashed any insignificant commits
  • This change has comments for package types, values, functions, and non-obvious lines of code

@teiling88 teiling88 merged commit 4bdd6a0 into OpencachingDeutschland:development Dec 12, 2022
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants