Project

General

Profile

Bug #3461

XSS - package system

Added by Fernando Munoz over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Package System
Target version:
Start date:
02/17/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

pkg parameter isn't encoded properly, it's possible to inject javascript code:

https://ip/pkg_mgr_install.php?mode=delete&pkg=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E

Associated revisions

Revision 248b0124 (diff)
Added by Ermal Luçi over 6 years ago

Ticket #3461. Protect output to browser by using htmlspecialchars.

Revision 82921e73 (diff)
Added by Ermal Luçi over 6 years ago

Fixes #3461. Remove any special char that can lead to shell/XSS compromises from submitted input.

Revision 6766e477 (diff)
Added by Ermal Luçi over 6 years ago

Fixes #3461. Remove any special char that can lead to shell/XSS compromises from submitted input.

History

#1 Updated by Ermal Luçi over 6 years ago

  • Target version set to 2.1.1
  • Affected Version set to All

#2 Updated by Ermal Luçi over 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Ermal Luçi over 6 years ago

#4 Updated by Renato Botelho over 6 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF