'age' exploit
Hey,
I found something that might be a XSS exploit (didn't try it) but worth reporting. When creating a new thread in the Slave/Master Area there is an "age" input. This has the readonly attribute so you cannot edit it. But when removing this readonly attribute or directly changing the value of the input client sided it will post that value to the server without validating it.
This means people are able to change their age to whatever they like and maybe even to strings instead of an integer.
Greetings,
Azz
Last edited by Azz; 05-11-2011 at 11:09 AM.
Reason: typo
|