Uploaded image for project: 'VCL'
  1. VCL
  2. VCL-808

vcld allows user values that contain HTML which is not cleaned on web interface

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Won't Fix
    • 2.3.2
    • 2.5
    • vcld (backend)
    • None

    Description

      put in HTML/Javascript for a users first name, it makes it into the database and is displayed and executed on the web interface

      Example: ./vcld -setup
      Add user with a firstname of "<b>Bol</b>"
      Lookup the user on the web interface

      Attachments

        Activity

          arkurth Andrew Kurth added a comment -

          There are no injection checks on the input entered via any of the vcld --setup options. However, in order to run vcld --setup one would need console access to a management node and the command would probably need to run as root in order to work. With this level of access, it can be implied that the person can obtain full r/w access to the database. Adding checks really wouldn't add much security.

          arkurth Andrew Kurth added a comment - There are no injection checks on the input entered via any of the vcld --setup options. However, in order to run vcld --setup one would need console access to a management node and the command would probably need to run as root in order to work. With this level of access, it can be implied that the person can obtain full r/w access to the database. Adding checks really wouldn't add much security.

          People

            Unassigned Unassigned
            vollmerk Karl Vollmer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: