Possible [minor] injection risk
Reported by Reza | November 17th, 2008 @ 01:09 AM
Default generator adds a flash[:error] with unescaped params[:login] to session controller. One can simply inject arbitrary javascript code into login box.
No comments found
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Restful Authentication Generator
This widely-used plugin provides a foundation for securely managing user
authentication:
* Login / logout
* Secure password handling
* Account activation by validating email
* Account approval / disabling by admin
* Rudimentary hooks for authorization and access control.
http://github.com/technoweenie/restful-authentication/tree
David Siñuela (Siu)
mrflip