-
Notifications
You must be signed in to change notification settings - Fork 169
/
Copy path106350.txt
23 lines (17 loc) · 925 Bytes
/
106350.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
ReportLink:https://hackerone.com/reports/106350
WeaknessName:Violation of Secure Design Principles
Reporter:https://hackerone.com/djamel-ghorab
ReportedTo:withinsecurity(withinsecurity)
BountyAmount:250.0
Severity:
State:Closed
DateOfDisclosure:16.01.2016 1:05:51
Summary:
Hello i want to report a text injection and a missconfiguration of the 404 page which can be used in phishing
the bug exists at :
https://withinsecurity.com/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.crowdcurity.com%20so%20go%20to%20the%20new%20one%20since%20this%20one
as you can see attacker text is included
"It has been changed by a new one https://www.crowdcurity.com so go to the new one since this one was not found on this server."
Fix : just use a 404 page that don't include attacker text just as : hackerone do (a 404 page that don't include any externel text
hope you fix it
thanks