TeamMentor / Master

TEAM Mentor 3.x Released Code
16 stars 17 forks source link

Check if TM TBot Json pages is affected by the subtle JSon hijacking vulnerabiltiy #797

Open DinisCruz opened 10 years ago

DinisCruz commented 10 years ago

See these posts for more details on this issue:

http://haacked.com/archive/2009/06/25/json-hijacking.aspx/

One example of a page that returns a JSON object is /rest/tbot/json/Json_UserTags

references:

romichg commented 10 years ago

While this is important, i don't see this as a priority as a successful attack would be against an administrator, not the user, which limits the scope. I would suggest moving to 3.6, but will leave this here as a P4 for now.

DinisCruz commented 10 years ago

Moving to 4.0