First please take a second to enter to my profile page: http://chipmusic.org/delek

...

Ok, you're back now... As you have noticed, you have been redirected to my website instead of seeing my user information. Why does this happen?, because you can actually write code in the links if you know how.

This should be fixed ASAP, I added just an innocent redirection as an example but very malicious client side code can be injected too.

Last edited by Delek (October 5, 2015 2:28 pm)

Wow. This is actually the most important issue brought up on these forums in a long time. I guess I just trust people on this site more than I should.
I second Delek's request to have this potential security threat rectified.

DeerPresident wrote:

Wow. This is actually the most important issue brought up on these forums in a long time.

Second most, after the dangers of crowdfunding. Still pretty spooky.

Yikes!

Fixed. If you or anyone else finds vulnerabilities on the site in the future, please contact me or Tim (trash80) directly or send an e-mail to staff at chipmusic dot org.

Great! It was the lack of htmlentities()/htmlspecialchars() to pre-process the data?

I also can write code in the title of uploaded songs:
http://chipmusic.org/delek/music/delek---just-one-day
(note that there's no website header)

Last edited by Delek (October 7, 2015 2:30 pm)

I keep getting to these after youve fixed it. I wanted to see what would happen sad