creepMiner icon indicating copy to clipboard operation
creepMiner copied to clipboard

Published 20 hours ago verified publisher icon Creepsky

XSS via wallet name on web interface

Open theblazehen opened this issue 7 years ago • 4 comments

I set my wallet name to <script>alert('XSS');</script> and some time later I got that on the creepminer web interface

theblazehen avatar Jul 01 '17 08:07 theblazehen

:smile: This should better be secured!

Also: if the pool or wallet sends html code as a response for a request, the webinterface tries to parse it and executes javascript inside it.

Creepsky avatar Jul 01 '17 08:07 Creepsky

Thanks for the quick response. I underestimated the impact that this could have had, otherwise I would have contacted you through more private means rather than adding it all to the ticket.

theblazehen avatar Jul 01 '17 08:07 theblazehen

Oh you did nothing wrong, thanks for submitting it! This is exactly what the issue tracker is good for : )

Creepsky avatar Jul 01 '17 08:07 Creepsky

Was this ever solved @Creepsky? Is 1.6+ now secure from this issue?

damccull avatar Apr 19 '18 06:04 damccull