Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Snitz Forums 2000 DEV-Group
 DEV Bug Reports (Open)
 Unsanitized URL in pop_send_to_friend.asp
 New Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Carefree
Advanced Member

Philippines
4202 Posts

Posted - 18 October 2010 :  14:54:11  Show Profile  Reply with Quote
URL isn't sanitized in "pop_send_to_friend.asp", line 175:


Look for the following line:

			"                <td bgColor=""" & strPopUpTableColor & """ colspan=""2"" align=""center""><textarea name=""Msg"" cols=""40"" rows=""5"" readonly>I thought you might be interested in this post:" & vbNewline & vbNewline & Request.QueryString("url") & "</textarea></td>" & vbNewLine & _

Change it to say:

			"                <td bgColor=""" & strPopUpTableColor & """ colspan=""2"" align=""center""><textarea name=""Msg"" cols=""40"" rows=""5"" readonly>I thought you might be interested in this post:" & vbNewline & vbNewline & chkString(Request.QueryString("url"), "SQLString") & "</textarea></td>" & vbNewLine & _

ruirib
Snitz Forums Admin

Portugal
26364 Posts

Posted - 18 October 2010 :  16:57:14  Show Profile  Send ruirib a Yahoo! Message
That URL is never stored in the database, so why would you sanitize it for a SQL injection?


Snitz 3.4 Readme | Like the support? Support Snitz too
Go to Top of Page

Davio
Development Team Member

Jamaica
12212 Posts

Posted - 18 October 2010 :  17:03:33  Show Profile
Was wondering the same thing. Even if the end user clicks on a suspected modified link, the pages have checks in place to prevent any security concern. No different if someone tried to modify the url on one of the pages to do some sql injection of some kind.

Support Snitz Forums
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.05 seconds. Powered By: Snitz Forums 2000 Version 3.4.07