03-18-2016, 09:30 AM
Hi,
I was just wondering if any penetration testing has been done with userspice 4.0.
Looking at the code, it appears that the validation is triggered by a javascript (onclick event) which then triggers the jquery call to the server-side validation. If I spoof the registration form and tinker with the client-side javascript, it seems possible to make database entries in the user table with no server side validation.
When I get a bit of time, I'd be happy to have a go and show the results. I'm no expert on php coding though, so I don't know if I'd be able to offer a fix. Also, I could be wrong.
Anyone looked into this?
T.
I was just wondering if any penetration testing has been done with userspice 4.0.
Looking at the code, it appears that the validation is triggered by a javascript (onclick event) which then triggers the jquery call to the server-side validation. If I spoof the registration form and tinker with the client-side javascript, it seems possible to make database entries in the user table with no server side validation.
When I get a bit of time, I'd be happy to have a go and show the results. I'm no expert on php coding though, so I don't know if I'd be able to offer a fix. Also, I could be wrong.
Anyone looked into this?
T.