New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Administrator/add_pictures.php,Administrator/users.php(fix): used htm… #3

Open
wants to merge 1 commit into
base: master
from

Conversation

Projects
None yet
1 participant
@manasmbellani
Copy link

manasmbellani commented Dec 30, 2018

…lspecialchars variable to ensure that XSS is prevented by replacing any possible bad chars

Dear Repository maintainer,

Hope you are going well and had a Merry Christmas.

Administrator/add_pictures.php,Administrator/users.php(fix): used htmlspecialchars variable to ensure that XSS is prevented by replacing any possible bad chars

Without applying this temporary fix, it is possible to trick admins of the CMS to be tricked into executing arbitrary javascript code and have their cookies stolen OR tricked into revealing info of other websites through tools such as BEEF Hook. PoC can be provided if required.

I would like to release the PoC exploit after 2 weeks (14 days) - could you please let me know on manasmbellani@gmail.com if you have any queries, concerns or issues with the requested fix. I would recommend pulling this branch version and updating to the latest as soon as possible.

I will also be requesting a CVE number via CVE Mitre for this bug.

Wish you a very Happy New Year!

Thanks and Kind Regards,

Manas Bellani
manasmbellani@gmail.com

Administrator/add_pictures.php,Administrator/users.php(fix): used htm…
…lspecialchars variable to ensure that XSS is prevented by replacing any possible bad chars
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment