Hi guys,
I am sorry to bear bad news , I tested my Oxwall site after Akash's report that the site are vulnerable .. thanks by the way..
Now that is publicly disclosed .. Thanks but not thanks Akash
I can confirm that is vulnerable, it seems that when you post an url the Oxwall parses the title of the page, unfortunately there is not clean up when parsing and parses Javascript is used as title in the page you are linking to..
I have mitigated the problem disabling the abilities to post messages in newsfeed, forums , blogs, photo, gif etc only allowing to read..
Until Oxwall devs fix this issue and release a quick fix version to totally mitigate this vulnerability...
As usual is your responsibility to test everything..
It is a mayor problem.. since of course anyone can hijack your admin cookie and get complete access to your site..
regards..
@ross your thoughts?