<![CDATA[ChipMusic.org - Security issue in profile pages]]> https://chipmusic.org/forums/topic/17174/security-issue-in-profile-pages/ Thu, 08 Oct 2015 19:32:10 +0000 PunBB <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235265/#p235265 SketchMan3 says:

I keep getting to these after youve fixed it. I wanted to see what would happen sad

]]> Thu, 08 Oct 2015 19:32:10 +0000 https://chipmusic.org/forums/post/235265/#p235265 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235224/#p235224 Delek says:

I also can write code in the title of uploaded songs:
http://chipmusic.org/delek/music/delek---just-one-day
(note that there's no website header)

]]> Wed, 07 Oct 2015 14:29:08 +0000 https://chipmusic.org/forums/post/235224/#p235224 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235149/#p235149 Delek says:

Great! It was the lack of htmlentities()/htmlspecialchars() to pre-process the data?

]]> Mon, 05 Oct 2015 18:50:46 +0000 https://chipmusic.org/forums/post/235149/#p235149 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235148/#p235148 nitro2k01 says:

Fixed. If you or anyone else finds vulnerabilities on the site in the future, please contact me or Tim (trash80) directly or send an e-mail to staff at chipmusic dot org.

]]> Mon, 05 Oct 2015 18:02:35 +0000 https://chipmusic.org/forums/post/235148/#p235148 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235147/#p235147 egr says:

Yikes!

]]> Mon, 05 Oct 2015 15:48:38 +0000 https://chipmusic.org/forums/post/235147/#p235147 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235144/#p235144 Dire Hit says:
DeerPresident wrote:

Wow. This is actually the most important issue brought up on these forums in a long time.

Second most, after the dangers of crowdfunding. Still pretty spooky.

]]> Mon, 05 Oct 2015 14:55:27 +0000 https://chipmusic.org/forums/post/235144/#p235144 <![CDATA[Re: Security issue in profile pages]]> https://chipmusic.org/forums/post/235143/#p235143 DeerPresident says:

Wow. This is actually the most important issue brought up on these forums in a long time. I guess I just trust people on this site more than I should.
I second Delek's request to have this potential security threat rectified.

]]> Mon, 05 Oct 2015 14:42:19 +0000 https://chipmusic.org/forums/post/235143/#p235143 <![CDATA[Security issue in profile pages]]> https://chipmusic.org/forums/post/235142/#p235142 Delek says:

First please take a second to enter to my profile page: http://chipmusic.org/delek

...

Ok, you're back now... As you have noticed, you have been redirected to my website instead of seeing my user information. Why does this happen?, because you can actually write code in the links if you know how.

This should be fixed ASAP, I added just an innocent redirection as an example but very malicious client side code can be injected too.

]]> Mon, 05 Oct 2015 14:26:31 +0000 https://chipmusic.org/forums/post/235142/#p235142