search

starpeng / cool-php-captcha

Automatically exported from code.google.com/p/cool-php-captcha
GNU General Public License v3.0
0 stars 0 forks source link

xss #2

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. http://127.0.0.1/example-form.php?captcha=%3Cscript%3Ealert(1)%3C/script%3E

What is the expected output? What do you see instead?
filtered with htmlspcialchars()

What version of the product are you using? On what operating system?
0.2.1

Please provide any additional information below.
textbook xss. 

Overall I think your captcha is quite secure and easy to implement. I like
the text manipluation and the random fonts. I recommend using randomly
generated answers over a list of words because possible guesses can be
compared to the list before making a real guess.

I am the Michael Brooks in this article:
http://www.forbes.com/2008/11/25/cyber-security-bots-tech-identity08-cx_ag_1125c
yberbots.html

peace

Original issue reported on code.google.com by firealwa...@gmail.com on 31 Dec 2008 at 2:02

GoogleCodeExporter commented 9 years ago 
Fixed in subversion, will be available in the next release

Original comment by joserodr...@gmail.com on 23 Feb 2009 at 2:56