tgoddard

ERB remote code execution via inline render

2

If a target page to be cloned returns ERB code, I believe the calls to: render :inline => @clone.page https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/show.html.erb#L15 https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/preview.html.erb will execute that embedded code. It is not safe...