Edit report at https://bugs.php.net/bug.php?id=81523&edit=1
ID: 81523 Updated by: s...@php.net Reported by: neibase123 at gmail dot com Summary: The search bar in your site no contains atributte "maxlenght" Status: Open -Type: Security +Type: Bug Package: Website problem Operating System: irrelevante PHP Version: Irrelevant Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2023-05-24 06:32:09] tradingstatsf at gmail dot com My Best Home Designs are sharing latest news about home design, home decoration, ,realestate etc. More info to visit:(https://mybesthomedesigns.com)github.com ------------------------------------------------------------------------ [2021-10-14 10:06:04] c...@php.net The missing maxlength attribute is certainly not a security issue, since a client can ignore that. Not restricting the length server-side, however, might be an issue in this case. ------------------------------------------------------------------------ [2021-10-13 17:06:11] neibase123 at gmail dot com Description: ------------ Your site's search bar doesn't contain the "maxlength" html attribute, I enter an absurd amount of characters, if your server doesn't filter these characters, they can cause a Denial Of Service attack Test script: --------------- #this script works on any page on the site that contains the search bar. # please in console navigator paste lines one for one # tested in https://www.php.net/ document.getElementsByName("pattern")[0].value = "A".repeat(10000000) document.getElementsByName("pattern")[0].value; Expected result: ---------------- Demonstrate how it can set a huge value in the search bar, if the attacker enters and your server doesn't filter these characters, they can cause a DOS attack ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=81523&edit=1 -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php