Login/Activity Log Security Issue
Reported by labman | June 29th, 2009 @ 03:50 PM | in 5.0.3 (closed)
It's possible to enter JavsScript as a username when trying to login to Sitellite and whatever is entered will be executed upon viewing the activity log. Try entering a username of , any password, and then properly logging into Sitellite and then viewing your activity log and you'll see the popup. I'm not sure how much damage could be done but this should be sanitized when viewing the log.
Comments and changes to this ticket
-
lux June 29th, 2009 @ 05:50 PM
- State changed from “new” to “resolved”
I just committed a fix that sanitizes the usernames now. Here's a link to the commit:
http://github.com/lux/sitellite/commit/e8f02bfb50e9825912e117d2090c...
-
Charles Brunet August 7th, 2009 @ 09:41 AM
- Milestone set to “5.0.3”
[milestone:id#47011 bulk edit command]
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
The Sitellite web content management system.
labman
lux