Re: [magnolia-dev] Xss in the online demo

Tue, 28 Oct 2008 00:55:37 -0700

The search on demo is based on a sample template. It is the responsibility of a templater to make the templates safe (there is no standard mechanism in magnolia per se). Sure we will update the sample template if this is not done properly.
Please send the details to [EMAIL PROTECTED] so that we can discuss the matter in details 

Thank you very much

Philipp Bracher

On Oct 24, 2008, at 10:10 PM, Hans Wolters wrote:


Hi,

On 24-okt-2008, at 22:02, Grégory Joseph wrote:


Where, how and how does it affect the system ?




If you trust the publisher (patrick in the demo) then this person  
can inject
xss into the searchbox (bottom right). Stopped checking for more  
problems
but it proves at this point that magnolia does not validate certain  
user input.



If you want the exact injection then please provide some kind of  
security

handle, I will mail it to them.

Best regards,

Hans



On Oct 24, 2008, at 8:37 PM, Hans Wolters wrote:


Dear all,


Is there a security member I can contact? I was able to store xss  
into the demo.



__utmc=138021676; __utmz=138021676.1224872755.1.1.utmcsr=java- 
source.net|utmccn=(referral)|utmcmd=referral|utmcct=/open-source/ 
content-managment-systems/magnolia;  
JSESSIONID=CB6F27C2FBA0829B95A5B246DD831789;  
__utmb=138021676.3.10.1224872755;  
__utma 
=138021676.3812302028448725000.1224872755.1224872755.1224872755.1


Best regards,

Hans Wolters

----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------



----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------



----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------



----------------------------------------------------------------
for list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
----------------------------------------------------------------






















					Reply via email to