Cross-site scripting vulnerability: MANAGE SUBSCRIPTIONS #431
Comments
|
Hello @brabbins thank you for your report, StCR has both validation on JS and PHP, so I am not aware of this new report, can you add a detail explanation of how you find the vulnerability ? Regards.!! |
|
If you would like, I could email you directly. |
|
Yes please, reedyseth {at) gmail 'dot' com |
|
Did this ever get sorted out? |
|
A few minutes of testing indicates no, this has not been fixed. |
|
Unfortunately I have not heard back from the developer for quite sometime. |
|
I have a patch for this, I'll get a merge request sent soon. I wanted to do just a bit more hunting for similar xss instances first.
Jesse Norell
…-----Original Message-----
From: brabbins <notifications@github.com>
To: stcr/subscribe-to-comments-reloaded <subscribe-to-comments-reloaded@noreply.github.com>
Sent: Fri, 28 Sep 2018 8:31 AM
Subject: Re: [stcr/subscribe-to-comments-reloaded] Cross-site scripting vulnerability: MANAGE SUBSCRIPTIONS (#431)
Unfortunately I have not heard back from the developer for quite sometime.
--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
#431 (comment)
|
|
HI Guys, sorry that I have not been paying attention to this important matter. I have a development version of the plugin that is very different from the master branch, I will give you an answer to see if this is cover on the dev version. https://github.com/stcr/subscribe-to-comments-reloaded/tree/development |
|
this seems to address the specific issue and at least one other (similar issue with email coming from a cookie rather than form field) and does a little sanity encoding/sanitizing (I think it fixed another issue for me in subscriptions, too :) @brabbins - thanks for this; if you have any other issues from this or future security audits, please send the info. @Reedyseth I haven't tried that branch; we're working towards something we can deploy soon, what's the current status of the development branch, at all usable or ?? thanks! |
Not usable for jr. developers, it changed a lot from the master branch and it needs some setup. |
|
@Reedyseth, in case you didn't see the note above, there is a merge request to fix this issue. |
|
@Reedyseth, did you have any questions or concerns with this fix? You might want to push a version update with it, rather than waiting for the development branch to stabilize? Thanks, |
|
Hi Guys, the code is already added to the dev version 2f37d33 and I will be releasing the next week. Best regards.!! |
|
Thanks @Reedyseth ! |
Recently we had security audit on one our websites and this plugin showed a cross-site scripting vulnerability. From what I could tell this is happening on the MANAGE SUBSCRIPTIONS/comment-subscriptions page when JS is turned off and in the email input field. I was able to submit script tags and js.
The text was updated successfully, but these errors were encountered: