AppGini Community Forums

I don't understand about security holes. i found
https://www.exploit-db.com/exploits/47725.

this is a bugss or a security issue?

please reproduce the following steps.

1. http://localhost/admin/pageEditGroup.php?groupID=1

2. edit description with payload
><h1><IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>123</h1>


https://ibb.co/Z8FfSsG

https://ibb.co/y020KhV

Thanks a lot for this hint, which has been posted in 2019.

I have briefly tested with current AppGini Northwind Demo based on version 5.94: I was not able to edit group description by using that link.

I am not willing to guarantee anything security related but I remember there were quite a lot security updates the last two years.

I am going to check this for my older projects and update them to 5.94. Maybe others can also verify/falsify and report back.

Once again thank you!

https://pastebin.com/TaKWiAY3

please copy paste into the description box area. I think it's a security issue.
i am using appgini version 5.94

Well, I'm not a security expert nor hacker. This is just the result of a very first test of mine.

As mentioned before, I cannot access the url mentioned in that vulnerability report without being logged in into a 5.94 app.

http://bigprof.com/demo/admin/pageEditG ... ?groupID=1

Can you enter the edit page for groups? I cannot. I get to the home page instead.

So, if I cannot access that page, I cannot paste any risky content into the (non existant) description field.

Don't know if someone can POST (inject) an offending payload into a page he/she cannot access. Security experts should investigate and report back.

Hopefully that vulnerability has already been closed by one of the last AppGini updates!