* Thijs Kinkhorst <[EMAIL PROTECTED]> [2008-10-02 10:53:54 CEST]: > On Thu, October 2, 2008 10:43, Gerfried Fuchs wrote: > > Yoshinori Ohta of Business Architects Inc. found a XSS issue in blosxom > > related to handling of unknown flavour types. The fix is now commited to > > upstream CVS: > > <http://blosxom.cvs.sourceforge.net/viewvc/blosxom/blosxom2/blosxom.cgi?r > > 1=1.83&r2=1.84> > > Does blosxom have some kind of valuable information stored in cookies? As > far as I understand it one manipulates the blog postings out-of-band?
Not in itself, but it might be the case in connection with some plugin extensions that enable comments or web editing (none of them are shipped in Debian). I'm sorry to have wrongly put it as medium into the security tracker in the first place which was clearly wrong. I guess even low might be too high of an option, but we finally figured out a way that it's possible to inject a / into the output that enables it to inject arbitrary data. So long, Rhonda -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
