search

blogifierdotnet / Blogifier

Blogifier is an open-source publishing platform Written in ASP.NET and Blazor WebAssembly. With Blogifier make a personal blog or a website.
https://blogifier.net
MIT License
1.26k stars 516 forks source link

Open Admin Panel Accessible with default Creds. #269

Closed RikunjSindhwad closed 3 years ago

RikunjSindhwad commented 3 years ago

Stored XSS As website is still in dev it won't be an issue. but ppl can access this website including you and due to arbitrary JavaScript execution attacker can take control over browser and maybe your system. attacker can send malicious request using your browser. so its better to remove access to admin layout to everyone

POC

https://demo.blogifier.net/posts/welcome-to-the-blogifier-demo-website above link executes a JavaScript (just a pops up)

Reference https://owasp.org/www-community/attacks/xss/

rxtur commented 3 years ago

The demo site is basically a sandbox, which is constantly deleted and recreated. But hurting someone with script injection is a valid point, so description and content in the post editor has been sanitized to not allow scripting.