ispcfg3 icon indicating copy to clipboard operation
ispcfg3 copied to clipboard

Published 20 hours ago verified publisher icon cwispy

Cross site scripting attack

Open k4mikazi666 opened this issue 6 years ago • 2 comments

Client can easily change the html code from inspect element remove the disable tag from add website button and create unlimited websites. Can change the id on the delete website form button and destroy an other users website. On your php code you must validate that the current user can make changes only on own websites,databases,dns,mails,etc...

k4mikazi666 avatar Apr 29 '19 11:04 k4mikazi666

Is this fixed?

mikefnasr avatar Dec 17 '20 16:12 mikefnasr

Wondering the same thing. Don't see anything in the commit history to suggest it was fixed.

danny6167 avatar Dec 31 '21 12:12 danny6167