New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross site scripting issue in OSQA about page #516

Open
anuvarman opened this Issue Dec 5, 2016 · 1 comment

Comments

Projects
None yet
2 participants
@anuvarman

anuvarman commented Dec 5, 2016

I have installed OSQA successfully in my organisation. While doing the security check we found the XSS issue in the OSQA about page. For example we have tried the below entry in the OSQA About page using administration screen. Can someone please suggest any fix for XSS issue?

> <span class="orange" onmouseover="alert(12);">Q&amp;A</span>
@jchubber

This comment has been minimized.

Show comment
Hide comment
@jchubber

jchubber Mar 9, 2018

@anuvarman This is only an XSS vulnerability if hackers can log in as administrators. That page is driven by https://github.com/dzone/osqa/blob/master/forum/urls.py#L42 and is populated directly from the database based on whatever the admin users put into that field. You should definitely not grant any admin access to users who you do not trust to NOT inject XSS into that field, or any other field (or view user data, for that matter because any admin user can do that).

Basically, don't worry, and make sure you limit admin access to people you trust.

IMHO, this should be a wontfix and should be closed.

jchubber commented Mar 9, 2018

@anuvarman This is only an XSS vulnerability if hackers can log in as administrators. That page is driven by https://github.com/dzone/osqa/blob/master/forum/urls.py#L42 and is populated directly from the database based on whatever the admin users put into that field. You should definitely not grant any admin access to users who you do not trust to NOT inject XSS into that field, or any other field (or view user data, for that matter because any admin user can do that).

Basically, don't worry, and make sure you limit admin access to people you trust.

IMHO, this should be a wontfix and should be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment