[CMS] Staff page by Hejula

S

Spartak

Member
Sep 24, 2011
225
33
sorry but i just found a simpl and easy xss fail :s

Just go to ur hotel and type in ur mission
Code: 
<script>ALERT('fail xss detected by Spartak')</script>

and come back to ur staff page....wow

to fixe that add a simple htmlspecialchar befor username etc...
 
Z

Zippy

Member
Aug 5, 2010
92
28
Spartak said:
sorry but i just found a simpl and easy xss fail :s

Just go to ur hotel and type in ur mission
Code: 
<script>ALERT('fail xss detected by Spartak')</script>

and come back to ur staff page....wow

to fixe that add a simple htmlspecialchar befor username etc...
Click to expand...
Lol, just tried that and it doesn't work (Y)
 
Z

Zippy

Member
Aug 5, 2010
92
28
Spartak said:
...it does and look at the code..not secured.
Click to expand...
Why does it need securing? You are mad! No data is in putted by the user, meaning they can not do SQL exploit. You can not register usernames with ' or " so no staff will have usernames like that. So stop nit picking and have a bath.
 
F

funkyben

Member
Jan 18, 2012
31
0
I have to type in (my hotel url) habbolike-hotel.zapto.org/staff
to view this page instead of having a button,
'cause the button only shows when i'm on the staff page, visit my link (register if you have to)
and see for urself
 
G

Gajeel

Well-Known Member
Oct 4, 2011
2,411
413
funkyben said:
I have to type in (my hotel url) habbolike-hotel.zapto.org/staff
to view this page instead of having a button,
'cause the button only shows when i'm on the staff page, visit my link (register if you have to)
and see for urself
Click to expand...
You need to manually add them over.
 

Users who are viewing this thread

Total: 5 (members: 0, guests: 5)
☀️  Switch to Light Theme

Latest posts

Top