thanks for pointing to the 0.11.pl1 release, rob. yesterday i was preparing the release the whole day but didn't report it here still. please, spread the word about the security-release.
for i2: i think that the cross-site-scripting is because of the bad sanitize functions in rails. so expect more applications to be vulnerable. i2 is not really instiki-codebase, since it is only intended to work on the main rails wiki site. guys, please submit patches for the 0.12 version, since i want to get this thing forward. greetings, parasew On 2/28/07, Rob Sanheim <[EMAIL PROTECTED]> wrote: > There is an XSS vulnerability in instiki .11, if you aren't running > the very latest release. I'm not sure why there hasn't been an > announcement to this list about the issue, as if you *aren't* running > .11p1 then you are vulnerable. Note that .11p1 was released today, > Feb. 27. > > If you go to instiki.org you can see a javascript popup, which > illustrates the flaw nicely and points you to a description of the > flaw: > > http://golem.ph.utexas.edu/~distler/blog/archives/001181.html > > Does anyone know if this also effects i2? Here is a link to p1 if > you want to update your instiki installation: > > http://rubyforge.org/frs/shownotes.php?release_id=10014 > > > - Rob > _______________________________________________ > Instiki-users mailing list > [email protected] > http://rubyforge.org/mailman/listinfo/instiki-users > _______________________________________________ Instiki-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/instiki-users
