[BUG] Shop vouchers injection flaw #278
Labels
bug
Something isn't working
Comments
|
I just looked at it is only visual there is the money that is taken |
|
Yes exactly, it should take 15.00 but takes 0. |
|
No, it takes 15.00 if the item is 15.00 |
yes i know but the bug lets you get the item for free |
|
I just tested with the bug, if I do the bug it displays 0 but it still takes the money from the item because the display is in javascript that's all |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Using a json format such as
{\ngives 100% off on any shop item.The voucher discount system allows code injection.
To Reproduce | Pour reproduire le bug
go to your /shop and for the voucher code use "{\n" and click purchase.
Steps to reproduce the behavior: | Étapes pour reproduire le bug :
Go to '/shop'
Click on 'Shop item'
Scroll down to 'text box below price'
Enter '{\n' and click purchase
Expected behavior | Ce qui aurait dû se passer
To return an error that says the code is invalid
Screenshots
MineWeb (please complete the following information):
OS: Ubuntu 20.04
Microsoft Edge Beta
Version : 1.13.0
Web server : Apache2
Path to logs (upload the content off /app/tmp/logs/error.log https://pastebin.com/AAkh44ZQ
The text was updated successfully, but these errors were encountered: