Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The code has stored XSS vulnerabilities #456

Closed
g0h3aler opened this issue Apr 13, 2021 · 3 comments
Closed

The code has stored XSS vulnerabilities #456

g0h3aler opened this issue Apr 13, 2021 · 3 comments

Comments

@g0h3aler
Copy link

The XSS filtering of blog title, Tagline, and Description in config.html.php is not rigorous, resulting in the generation of stored XSS
image
image
Front display
image

@danpros
Copy link
Owner

danpros commented Apr 13, 2021

Hello,

Thanks for reporting this but at least we need admin access to add it (HTMLy is safe as long as you don't hack your own blog). On any system if you can gain admin access it will be a disaster.

I will look into it.

@danpros
Copy link
Owner

danpros commented Apr 16, 2021

The description mostly used to generate the about widget on sidebar and usually we put a link or even script. Using custom config page we can inject script to our blog eg. for custom comment script, tweet etc. so this is not bug but a feature, and the config page only accessible by the admin. So at the moment I will mark it as won't fix. Thanks.

@danpros danpros closed this as completed Apr 16, 2021
@danpros
Copy link
Owner

danpros commented Apr 16, 2021

Please re open if non admin users or even not logged user can access and edit the config page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants