https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
An XSS issue occured in the instagram-php-api project, which was due to insecure reflection of usersupplied input through the ?error_description parameter.
💻 Technical Description *
I used the htmlentities() method to sanitize the malicious parameter, avoiding the issue aforementioned.
🐛 Proof of Concept (PoC) *
No POC, but the issue was clear by the code
🔥 Proof of Fix (PoF) *
No POC, but htmlentities() works fine with every scenario
https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/Instagram-PHP-API/pull/2 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/instagram-php-api/1/README.md
User Comments:
📊 Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-packagist-instagram-php-api
⚙️ Description *
An
XSSissue occured in theinstagram-php-apiproject, which was due toinsecure reflectionofusersuppliedinput through the?error_descriptionparameter.💻 Technical Description *
I used the
htmlentities()method to sanitize themalicious parameter, avoiding the issue aforementioned.🐛 Proof of Concept (PoC) *
No POC, but the issue was clear by the code
🔥 Proof of Fix (PoF) *
No POC, but
htmlentities()works fine with every scenario👍 User Acceptance Testing (UAT)
Just used
htmlentities()on astring