XMLWordPrintableJSON

    Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      We have also targets with params in URL in forms, despite it's already using POST action

      In form.xml look for

      <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
      <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
      

      An easy example to use is ListPhysicalInventory.

      So we should extend the param-name scheme to forms widget also.
      Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.

        Attachments

          Activity

            People

            • Assignee:
              jleroux Jacques Le Roux
              Reporter:
              jleroux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: