quick fix: on the [shelf] level
created safeurl shelf action which took the url action and wrapped the "(request raw url)" with a (PageFormatter toSafeLocation: ...) then replaced <?url?> with <?safeurl?> in the shelf notFound template. probably needs more careful study, but that's a start. hal On Mar 5, 2008, at 3:55 PM, Hal Eden wrote: > good points in the article! i wasn't thinking of that. > > so the alert could be a password grabber, e-mailing the passwords for > your swiki users to the hacker (and you would be none the wiser--i > don't even see anything in the log) > > thanks, antonio. > > hal > > On Mar 5, 2008, at 3:37 PM, Antonio Barros wrote: > >> Dear Professor Mark, >> >> I think this short article can help "Cross site scripting (XSS) >> attacks are often seen as a powerless hack. While this is true in >> some cases, for the most part the impact of an XSS vulnerability is >> left up to the imagination and talent of the attacker..." <http:// >> www.informit.com/articles/article.aspx?p=603037>. >> I am not a security expert, but I think this can happen in the swiki >> home and in any page with edit permission or "add to the page" >> button. >> My best, >> >> Antonio Barros >> Brazil >> >> Em 05/03/2008, às 18:31, Guzdial, Mark escreveu: >> >>> I'm not even sure I grok the question... >>> >>> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] on behalf of >>> [EMAIL PROTECTED] >>> Sent: Wed 3/5/2008 4:23 PM >>> To: [EMAIL PROTECTED] >>> Subject: [Swiki-bugs] SWIKI 1.5 Cross-Site Scripting >>> >>> Swiki-Bugs, >>> FYI there is a XSS vuln in Swiki 1.5 exploitable by: >>> >>> http://[host]:8000/<script>alert("XSS");</script> >>> >>> I would like to post to bugtraq so please let me know when it has >>> been >>> fixed! Thanks! >>> >>> -- >>> Brad Antoniewicz >>> Senior Security Consultant >>> Foundstone Professional Services >>> A Division of McAfee >>> http://www.foundstone.com >>> >>> [EMAIL PROTECTED] >>> (O) 646.728.1493 >>> (C) 347.801.5864 >>> (F) 212.869.6720 >>> 1133 Avenue of the Americas >>> New York, NY 10036 >>> PGP Key: http://www.foundstone.com/us/pgpkeys/bradantoniewicz.asc >>> Blog: http://www.avertlabs.com/research/blog/ >>> >>> >>> _______________________________________________ >>> Swiki-bugs mailing list >>> [EMAIL PROTECTED] >>> https://mailman.cc.gatech.edu/mailman/listinfo/swiki-bugs >>> >>> >>> _______________________________________________ >>> Pws mailing list >>> Pws@cc.gatech.edu >>> https://mailman.cc.gatech.edu/mailman/listinfo/pws >> >> _______________________________________________ >> Pws mailing list >> Pws@cc.gatech.edu >> https://mailman.cc.gatech.edu/mailman/listinfo/pws >> > > _______________________________________________ > Pws mailing list > Pws@cc.gatech.edu > https://mailman.cc.gatech.edu/mailman/listinfo/pws > _______________________________________________ Pws mailing list Pws@cc.gatech.edu https://mailman.cc.gatech.edu/mailman/listinfo/pws