I tell you what we should do is create a list of what html we will allow and take it from there... else just put the less than and greater than signs in the database as HTML charater entities..
#8 HTML Bug?
I don't know how close this resembles phpNuke in the code, but posted on phpNuke was this bug:
"I found that anyone can submit HTML tags to a Nuked site. If you put some Javascript in the text, you can do any kind of harm to the admin -- redirecting him to a bad site, or creating a thousand of browser instances for him (you can create just one instance of the same page by window.open(document.location.href) and there you are: a recursion!) Therefore, you can nuke any PHPNuke admin :-)"
Is phpWebsite vulnerable as well?
Discussion
-
Agreed. We talked about this and there definately needs to be some parsing. We also need to implement the dirty-word stripping so this would be a good time to plug that feature in.
-
- assigned_to: nobody --> refurbished
-
- priority: 5 --> 9
-
Tested this bug pretty well. Please come to our site and try to hack us :)
Adam
-
- status: open --> closed
Log in to post a comment.