comment out causes information disclosure

Disclosed: 2015-04-19 14:33:13 By shhnjk To shopify
Unknown
Vulnerability Details
Hi there Go to General setting (https://your-domain.myshopify.com/admin/settings/general), set Homepage Title to <!-- and change Name to "> plus HTML Tag like words. Some data will be leaked in the place of Title in the home page. This is dangerous because sometimes title contains highly confidential data such as cart_token, checkout_token, email, session_hash, and so on. Ticket ID is 1559798.
Actions
View on HackerOne
Report Stats
  • Report ID: 57125
  • State: Closed
  • Substate: resolved
  • Upvotes: 3
Share this report