Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Giovanni Sidoel 94 posts 233 karma points
    Jul 23, 2012 @ 19:56
    Giovanni Sidoel
    0

    XSS vulnerability

    Hi Douglas,

    In an earlier post you say that an XSS vulnerability has been fixed in 2.5. (http://our.umbraco.org/projects/website-utilities/imagegen/imagegen-bugs/12266-Release-plan-for-v3)

    I'm running 2.5.1 and am encountering a vulnerability when requesting the following

    /ImageGen.ashx?image=>"></title></iframe></script></form><sCriPt>alert("XSS+DETECTED")</sCriPt>width=112

    Is this something that has been fixed in later versions? I have not seen anything mentioned about XSS in the "what's new" section of the project page.

    Thanks.

  • Giovanni Sidoel 94 posts 233 karma points
    Jul 23, 2012 @ 20:13
    Giovanni Sidoel
    0

    Ok...After some more digging I noticed that our dev and live environment were running different version of imagegen. Dev had 2.5.1 and live had 2.2.1 for some reason.

    I find that a bit odd. But I think that's why the xss vulnerability is still there. I'll upgrade to 2.51 and see if that fixes it.

Please Sign in or register to post replies

Write your reply to:

Draft