<script>alert('hello')</script>

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
5/12/2009 4:05:07 AM
Gravatar
Total Posts 4

<script>alert('hello')</script>

5/12/2009 4:24:03 AM
Gravatar
Total Posts 4

Re: <script>alert('hello')</script>

Hi Joe,

I just wanted to test for existence of XSS vulnerability in MOJOPORTAL, as pointed out by the web application security team in my organisation, while  they were testing our local intranet portal implemented using mojoportal 2.2.9.5

This  is a serious threat to the application.

Unfortunately this threat is existing in this website too. Iam extremely sorry for trying to test the same on this site.

Please take necessary action to fix this bug and immediately delete this topic.

Thanks & Regards

Pranereddy

 

5/12/2009 4:31:04 AM
Gravatar
Total Posts 4

Re: <script>alert('hello')</script>

Hi joe,

By inserting malicious scripts in the 'Subject'  text box (in case of FORUMS) and 'Title" text box (in case of BLOGS) sensitive information can be hacked.

How to fix this bug?

Sorry once again for the inconvenience caused to all users.

Thanks & Regards

Pranereddy

5/12/2009 5:18:14 AM
Gravatar
Total Posts 18439

Re: <script>alert('hello')</script>

Hi,

Thanks for the bug report. Please in the future for security bugs contact me directly instead of posting an exploit.

This problem can be fixed immediately and easily on any installation.

Using a text editor, edt the file Forums/Thead.aspx, look for this near the top:

<asp:Label ID="lblThreadDescription" runat="server" ></asp:Label>

and change it to this:

<NeatHtml:UntrustedContent ID="UntrustedContent5" runat="server" TrustedImageUrlPattern='<%# allowedImageUrlRegexPattern %>' ClientScriptUrl="~/ClientScript/NeatHtml.js">
<asp:Label ID="lblThreadDescription" runat="server" ></asp:Label>
</NeatHtml:UntrustedContent>

This will be fixed in the next release coming very soon.

Best,

Joe

You must sign in to post in the forums. This thread is closed to new posts.