- I can inject any JavaScript in Titles, Tags and possibly other locations.
- By manually changing the value of the `userid` cookie, I can log in as any user ("1" for admin). This also allows me to access the admin section of the website.
- It's highly recommended to enable "HttpOnly" for session cookies. (Secure and SameSite should also be more strict if the application allows it)
Other remarks:
- There should be a limit on the length of submission titles, these are close to infinite it seems.
Edit: It seems others are completely defacing the board by using these tricks. I just want you to know that it's not me.
Source code is at: https://github.com/robdelacruz/newsboard
Remember, no one even has to go through your form to make a POST request to one of your endpoints (unless maybe you're using CSRF tokens, which you don't seem to be). Never assume that what you send to the user has any relationship to what they send back, and never validate on the front end.
As quick fix to get the site up and running again, I just trimmed off any overly long title or cat beyond a certain limit of chars.
Source code is here https://github.com/robdelacruz/newsboard
I will look into fixing the security bugs to get the site back up and running. Feel free to check out the code.
If you have time to waste, check out my "unix fortune2" web page to get your unix fortunes. It's a clone of 'unix fortune':
Seems like the source
> newsboard - a bulletin board and bookmark sharing site (inspired by HackerNews)
https://github.com/robdelacruz/newsboard
I used plain css from scratch to keep it small. I tried to copy the HackerNews look, but using Flex instead of Tables.
