XSS on admin login page #639

Closed
eikes opened this Issue Aug 22, 2011 · 1 comment

Projects

None yet

2 participants

@eikes

The :email and :password variables are not escaped in the Admin controller. Also GET vars can be used where only POST should be used.

possibly adding

  params[:email] = escape_html(params[:email])
  params[:password] = escape_html(params[:password])

before

  flash[:warning] = "Login or password wrong."

might help, but I haven't tried it.

Example for this XSS (view in Firefox or Opera or IE, Webkit filters this kind of XSS):

http://www.padrinorb.com/admin/sessions/new?email=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E%3Cinput

@DAddYE
Padrino Framework member

Thanks man, will be applied soon!

@DAddYE DAddYE added a commit that closed this issue Aug 30, 2011
@DAddYE DAddYE Fix #639 9f4c315
@DAddYE DAddYE closed this in 9f4c315 Aug 30, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment