Re: [openupload-devel] Potential XSS vulnerability
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
Re: [openupload-devel] Potential XSS vulnerability
|
From: Johannes S. <j.s...@de...> - 2016-06-03 13:55:45
|
It is possible to inject javascript code through the filename of the uploaded file. The vulnerability exists in the default installation and affects all administrator or user accounts which can see the names of uploaded files. For testing upload a file named "><img src=x onerror=alert(document.cookie)>.png The javascript is stored and also affects the file list at the Administration Panel. Greets, Johannes Am 03.06.16 um 10:42 schrieb Alessandro Briosi: > Well, > not really... but please send me details about it. > > Alessandro > > Il 01/06/2016 16:34, Johannes Schröter ha scritto: >> Hi, >> >> will this project still maintained? >> >> There exists a potential XSS vulnerability. > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel > -- devWerks IT-Security and Development Johannes Schröter Gartenstrasse 2 36129 Gersfeld Fon: +49 (0)171 / 4832242 E-Mail: j.s...@de... http://www.devwerks.net |
