File Upload Concern in Front Account 2.3.13 and OpenDocMan 1.2.6
I have put this in a separate report since they are not strictly=0Avulnerab=
ilities.=0A=0ABy default, both software apps allow the end user to upload a=
ny HTML=0Afile they wish. This means that files with malicious javascript m=
ay be=0Auploaded to the server.=0A=0AThe issue is that when a user clicks v=
iew for these files, it will open=0Ain the browser under the domain of the =
application.=0A=0ASince the application does not provide any technical guar=
d against this,=0Aone must rely on the OS anti-virus signatures to pick up =
the malicious=0Acode. =0A=0AWhile uploading HTML files not a strict vulnera=
bility, per se. The=0Aability to abuse this functionality with malicious co=
de may be a more=0Acommon issue than realized.=0A=0A=0AKen=0Ahttp://silverb=
ackventuresllc.com