search

gWorldz / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms
GNU General Public License v3.0
0 stars 0 forks source link

XSS vulnerability in "/admin/index.php" #219

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Visit 
http://get-simple.info/admin/?success=%3Ciframe%20src=//jsfiddle.net/X8Sgr/show?
 (page at jsfiddle is only an alert();).
2. JavaScript alert() is executed.

What is the expected output? What do you see instead?
No JS should be executed.

What version of the product are you using? On what operating system?
GetSimple 3.0 using Google Chrome 12 to view page on  Windows 7.

Please provide any additional information below.
Information messages should come from a lang file and not URL parameters.

Original issue reported on code.google.com by myw...@gmail.com on 13 Jun 2011 at 11:00

GoogleCodeExporter commented 9 years ago 
Confirmed. Works in at least the latest versions of Chrome, Opera, Safari and 
Firefox on Windows 7. Internet Explorer 9 detects and strips XSS attempts so it 
doesn't work in that browser.

Original comment by m%turi...@gtempaccount.com on 13 Jun 2011 at 11:11

GoogleCodeExporter commented 9 years ago 
already fixed in the SVN. Thanks

Original comment by ccagle8 on 14 Jun 2011 at 12:44