This repository has been archived by the owner on Oct 30, 2019. It is now read-only.
JavaScript Injection leak. #7
Comments
|
Yes I know the software is vulnerable and probably mark it as such or shut
the repo down.
I initially read the description of the markdown library as such that it
would sanitize HTML from Javascript or similar which it apparently doesn't.
I'd be curious to know why php works since the posts are never "executed"
on the server side.
Thanks for reporting though, I'll keep this issue open for people to see
COOLGAMETUBE <[email protected]> schrieb am Mi., 23. Nov. 2016 20:23:
… You can add HTML (including JavaScript and CSS) and PHP in Forum-Posts.
That means, the user does have:
- Full MySQL Access
- Full File Access
- Can hook Users
- Can do other weird shit.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#7>, or mute the
thread
<https://github.com/notifications/unsubscribe-auth/AEBF75w3jO0VBJGLYpZnpusgayVLIyzpks5rBJKugaJpZM4K69i->
.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
You can add HTML (including JavaScript and CSS) and PHP in Forum-Posts.
That means, the user does have:
The text was updated successfully, but these errors were encountered: