I don't understand about security holes. i found
https://www.exploit-db.com/exploits/47725.
this is a bugss or a security issue?
please reproduce the following steps.
1. http://localhost/admin/pageEditGroup.php?groupID=1
2. edit description with payload
><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>
https://ibb.co/Z8FfSsG
https://ibb.co/y020KhV
bug or security issue
Re: bug or security issue
Thanks a lot for this hint, which has been posted in 2019.
I have briefly tested with current AppGini Northwind Demo based on version 5.94: I was not able to edit group description by using that link.
I am not willing to guarantee anything security related but I remember there were quite a lot security updates the last two years.
I am going to check this for my older projects and update them to 5.94. Maybe others can also verify/falsify and report back.
Once again thank you!
I have briefly tested with current AppGini Northwind Demo based on version 5.94: I was not able to edit group description by using that link.
I am not willing to guarantee anything security related but I remember there were quite a lot security updates the last two years.
I am going to check this for my older projects and update them to 5.94. Maybe others can also verify/falsify and report back.
Once again thank you!
Kind regards,
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
AppGini 24.10 Revision 1579 + all AppGini Helper tools
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
[code]...[/code]
blocks for better readabilityAppGini 24.10 Revision 1579 + all AppGini Helper tools
Re: bug or security issue
https://pastebin.com/TaKWiAY3
please copy paste into the description box area. I think it's a security issue.
i am using appgini version 5.94
please copy paste into the description box area. I think it's a security issue.
i am using appgini version 5.94
Re: bug or security issue
Well, I'm not a security expert nor hacker. This is just the result of a very first test of mine.
As mentioned before, I cannot access the url mentioned in that vulnerability report without being logged in into a 5.94 app.
http://bigprof.com/demo/admin/pageEditG ... ?groupID=1
Can you enter the edit page for groups? I cannot. I get to the home page instead.
So, if I cannot access that page, I cannot paste any risky content into the (non existant) description field.
Don't know if someone can POST (inject) an offending payload into a page he/she cannot access. Security experts should investigate and report back.
Hopefully that vulnerability has already been closed by one of the last AppGini updates!
As mentioned before, I cannot access the url mentioned in that vulnerability report without being logged in into a 5.94 app.
http://bigprof.com/demo/admin/pageEditG ... ?groupID=1
Can you enter the edit page for groups? I cannot. I get to the home page instead.
So, if I cannot access that page, I cannot paste any risky content into the (non existant) description field.
Don't know if someone can POST (inject) an offending payload into a page he/she cannot access. Security experts should investigate and report back.
Hopefully that vulnerability has already been closed by one of the last AppGini updates!
Kind regards,
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
AppGini 24.10 Revision 1579 + all AppGini Helper tools
<js />
My AppGini Blog:
https://appgini.bizzworxx.de/blog
You can help us helping you:
Please always put code fragments inside
[code]...[/code]
blocks for better readabilityAppGini 24.10 Revision 1579 + all AppGini Helper tools