Description:
Account name text fields have no validation and any characters can be used to save the name.
this can be used for malicious purpose. a complete malicious link can be saved in this textboxes a
nd when you send users an invitation to join new relic account, this names will render as valid
link in email clients.for eg if i save account name as some porn site, it will render as link in
email client.since the email is from trusted domain like new relic, victim will definitely want to
click on the link which will end up him visiting some porn site.See the attached screen shot.
for eg purpose i used http://google.com as name.
@heldyboy now if someone is try to add numbers or any other things excpet alphabets it will throw an error and no record will be saved until it matches the correct format
Description: Account name text fields have no validation and any characters can be used to save the name. this can be used for malicious purpose. a complete malicious link can be saved in this textboxes a nd when you send users an invitation to join new relic account, this names will render as valid link in email clients.for eg if i save account name as some porn site, it will render as link in email client.since the email is from trusted domain like new relic, victim will definitely want to click on the link which will end up him visiting some porn site.See the attached screen shot. for eg purpose i used http://google.com as name.
Steps:
Impact: No validation on account names