Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability #741

Merged
merged 2 commits into from May 30, 2018
Merged

XSS vulnerability #741

merged 2 commits into from May 30, 2018

Conversation

timersys
Copy link
Contributor

Many projects copy the whole files including this example. Which make their projects vulnerable by simple going to the url:
http://vulnerablesite.com/vendor/mobiledetect/mobiledetectlib/examples/session_example.php/"></script><script>alert(42)</script>

Many projects copy the whole files including this example. Which make their projects vulnerable by simple going to the url:
http://vulnerablesite.com/vendor/mobiledetect/mobiledetectlib/examples/session_example.php/"></script><script>alert(42)</script>
@timersys
Copy link
Contributor Author

@serbanghita I couldn't find a way to contact you other than PR

@serbanghita serbanghita merged commit 31818a4 into serbanghita:master May 30, 2018
@serbanghita
Copy link
Owner

Thanks, really didn't take that into account. I think I'm going to get rid of PHP_SELF

@timersys
Copy link
Contributor Author

Any user input would cause the same really. Im using the library in one of my wordpress plugins and I got reported about the vulnerability. So after testing it and verified that indeed was a security risk I reported to you.
I guess the best would be to release a new version so most users can get the update with composer update.

@serbanghita
Copy link
Owner

@timersys yeah that makes sense, I could also exclude these files from the release since they are not relevant to the actual library

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants