getDare Truth or Dare - View Single Post

Azz · 05-11-2011, 08:49 AM

Hey,

I found something that might be a XSS exploit (didn't try it) but worth reporting. When creating a new thread in the Slave/Master Area there is an "age" input. This has the readonly attribute so you cannot edit it. But when removing this readonly attribute or directly changing the value of the input client sided it will post that value to the server without validating it.

This means people are able to change their age to whatever they like and maybe even to strings instead of an integer.

Greetings,
Azz

05-11-2011, 08:49 AM	#1
Azz Junior Member Join Date: Oct 2008 Posts: 7	'age' exploit Hey, I found something that might be a XSS exploit (didn't try it) but worth reporting. When creating a new thread in the Slave/Master Area there is an "age" input. This has the readonly attribute so you cannot edit it. But when removing this readonly attribute or directly changing the value of the input client sided it will post that value to the server without validating it. This means people are able to change their age to whatever they like and maybe even to strings instead of an integer. Greetings, Azz Last edited by Azz; 05-11-2011 at 11:09 AM. Reason: typo