Re^13: Making Perl Monks a better place for newbies (and others)


good chemistry is complicated, and a little bit messy -LW
	PerlMonks

Re^13: Making Perl Monks a better place for newbies (and others)

by talexb (Chancellor)

on Feb 06, 2020 at 17:31 UTC ( [id://11112508]=note: print w/replies, xml )

Need Help??

in reply to Re^12: Making Perl Monks a better place for newbies (and others)
in thread Making Perl Monks a better place for newbies (and others)

"What the PM engine receives is what the user typed into the box. What is stored in the db is what the user typed into the box."

I'm not sure I understand how storing user input in the database creates a security issue. If it's code that could run, someone would have to grab that node and .. execute it. The Everything2 engine just stores the user input, then regurgitates it when a node is displayed. The content is never executed by the engine, or by the browser.

Do you have a proof of concept node that exploits this?

Alex / talexb / Toronto

Thanks PJ. We owe you so much. Groklaw -- RIP -- 2003 to 2013.

Comment on Re^13: Making Perl Monks a better place for newbies (and others)

Replies are listed 'Best First'.
Re^14: Making Perl Monks a better place for newbies (and others) by LanX (Saint) on Feb 06, 2020 at 17:48 UTC
Theoretically you could inject XSS code into the user's page or execute other JS exploits. You could also damage the display of framing pages with corrupted HTML. (more a nuisance) But the posts are filtered and only approved markup is allowed. Our new pmdev hasn't even read the user docu below each post form. -> Markup in the Monastery -> Perl Monks Approved HTML tags Cheers Rolf _{(addicted to the Perl Programming Language :) Wikisyntax for the Monastery FootballPerl is like chess, only without the dice}	[reply]
Re^14: Making Perl Monks a better place for newbies (and others) by Anonymous Monk on Feb 07, 2020 at 04:27 UTC
session riding, https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html	[reply]

In Section Perl Monks Discussion

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://11112508]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others browsing the Monastery: (6)

As of 2024-04-19 09:21 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found