XSS via wallet name on web interface

Creepsky / creepMiner

Burstcoin C++ CPU and GPU Miner

GNU General Public License v3.0

171 stars 64 forks source link

XSS via wallet name on web interface #151

Open theblazehen opened 7 years ago

theblazehen commented 7 years ago

I set my wallet name to <script>alert('XSS');</script> and some time later I got that on the creepminer web interface

Creepsky commented 7 years ago

:smile: This should better be secured!

Also: if the pool or wallet sends html code as a response for a request, the webinterface tries to parse it and executes javascript inside it.

theblazehen commented 7 years ago

Thanks for the quick response. I underestimated the impact that this could have had, otherwise I would have contacted you through more private means rather than adding it all to the ticket.

Creepsky commented 7 years ago

Oh you did nothing wrong, thanks for submitting it! This is exactly what the issue tracker is good for : )

damccull commented 6 years ago

Was this ever solved @Creepsky? Is 1.6+ now secure from this issue?