Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Won't Fix
-
2.3.2
-
None
Description
put in HTML/Javascript for a users first name, it makes it into the database and is displayed and executed on the web interface
Example: ./vcld -setup
Add user with a firstname of "<b>Bol</b>"
Lookup the user on the web interface
There are no injection checks on the input entered via any of the vcld --setup options. However, in order to run vcld --setup one would need console access to a management node and the command would probably need to run as root in order to work. With this level of access, it can be implied that the person can obtain full r/w access to the database. Adding checks really wouldn't add much security.