Skip to content

[Security] XSS in application/controllers/dropbox.php #106

Description

@seongil-wi

Describe the bug/issue

  • Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser.

To Reproduce
Steps to reproduce the behavior:

  1. Go to the following link: http://[server]/sync/dropbox/download?challenge=%3Cscript%3Ealert(1)%3C/script%3E
  2. Boom!

Where the vulnerability occurred?
The code below displays the user-controlled parameter challenge in application/controllers/dropbox.php with incorrect sanitization:

echo $_GET['challenge'];exit;

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions