Remove ability to inject information in blocked web page contact form.
When the Blocked Domain page is presented to the user the ability exists to change the site and category. In order to recreate this please do the following.
1. browse to a site that is known bad
2. once the Blocked Domain page loads use click contact the administrator.
3. Using firebug (or equivalent) change the website url to "mybadsite.org" and the filter to an allowed filter like "family/games"
The semi-vulnerability exists when the admin thinks it is a simple misconfiguration and allows the site on the whitelist. The site and the category should be hidden from the browser so that only validated data gets submitted to the admin's email.
Please sign in to leave a comment.
Comments
0 comments