Issue: XSS in Comments (VW4 Alpha)

Issue Tools
- View Changes

June 15, 2012 4:47 AM

pegasus

VaultWiki Team

XSS in Comments (VW4 Alpha)

Although we didn't have the settings enabled, it was possible to create a XSS exploit in VaultWiki 4 Alpha 1 by enabling HTML in comments. While there were Usergroup Permissions as well, the permissions were not overriding the global setting.

This should now be Fixed in Aardvark, but trying to use XSS exploits like this should be something on the Alpha Team task list.

Note that this exploit only affected Alpha 1, which is not public and was only used on private (now patched) servers.

Issue Details

Issue Number 2782

Issue Type Bug

Project VaultWiki 3.x Series

Category BB-Code Parsing

Status Fixed

Priority 1 - Security / Login / Data Loss

Affected Version 4.0.0 Alpha 1

Fixed Version 4.0.0 Alpha 1 Aardvark

Milestone (none)

Software DependencyAny

Users able to reproduce bug 0

Users unable to reproduce bug 0

Attachments 0

Assigned Users (none)

Tags (none)

+ Reply

All times are GMT -4. The time now is 10:56 AM.

This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Learn more… Accept Remind me later

Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

Issue: XSS in Comments (VW4 Alpha)

Issue Tools