Offline
Buenos Aires, Argentina

First please take a second to enter to my profile page: http://chipmusic.org/delek

...

Ok, you're back now... As you have noticed, you have been redirected to my website instead of seeing my user information. Why does this happen?, because you can actually write code in the links if you know how.

This should be fixed ASAP, I added just an innocent redirection as an example but very malicious client side code can be injected too.

Last edited by Delek (Oct 5, 2015 2:28 pm)

Offline
South Korea

Wow. This is actually the most important issue brought up on these forums in a long time. I guess I just trust people on this site more than I should.
I second Delek's request to have this potential security threat rectified.

Offline
Seattle, WA
DeerPresident wrote:

Wow. This is actually the most important issue brought up on these forums in a long time.

Second most, after the dangers of crowdfunding. Still pretty spooky.

Offline
Abandoned on Fire

Yikes!

Offline
Sweeeeeeden

Fixed. If you or anyone else finds vulnerabilities on the site in the future, please contact me or Tim (trash80) directly or send an e-mail to staff at chipmusic dot org.

Offline
Buenos Aires, Argentina

Great! It was the lack of htmlentities()/htmlspecialchars() to pre-process the data?

Offline
Buenos Aires, Argentina

I also can write code in the title of uploaded songs:
http://chipmusic.org/delek/music/delek---just-one-day
(note that there's no website header)

Last edited by Delek (Oct 7, 2015 2:30 pm)

Offline
NC in the US of America

I keep getting to these after youve fixed it. I wanted to see what would happen sad