Digitalstack/ZnoteAAC
2
0
Fork 0
mirror of https://github.com/Znote/ZnoteAAC.git synced 2025-04-29 10:49:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

patch XSS vulnerability (#358)

Browse Source 
the powergamers page was vulnerable to XSS/javascript injection, this should fix it.

XSS screenshot: https://i.imgur.com/4rJuWqY.png
XSS POC:

<form action="https://<censored>/powergamers.php" method="POST">
<input type="hidden" name="days[]" value="3" />
<input type="hidden" name="days[]" value="1&lt;script&gt;alert(&quot;XSS running!&quot;);&lt;/script&gt;" />
<input type="submit" value="click here to start xss" />
</form>
This commit is contained in:
divinity76 2019-04-19 21:23:57 +02:00 committed by Stefan A. Brannfjell
parent c0fe9e5d85
commit d9cd81508b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
powergamers.php
View File

@ -15,8 +15,8 @@ include 'layout/overall/footer.php';
$today = true;
if ($days) {
$selected = ($_POST['days']);
$days = $selected[1];
$vocation = $selected[0];
$days = (int) $selected[1];
$vocation = (int) $selected[0];
if ($days > 0)
$today = false;
} else {