Sorry, I didn't mean to give the impression that I was panicking or trying to be pushy. :P
And, I do understand it's essentially a client side exploit, but where I work there are a hundred layers of red tape and bureaucracy between me and the security auditors. They'll push any minor violation through all layers of management like a freight train... "This report says you're in violation of this policy." / "yeah, but it's an obscure corner case and it basically only effects old, broken browsers..." / "Section 13, Paragraph 7, item 3 of our security policy document says clearly that any 'warning' level violations must be...." / "ugh, fine!" ... That's basically how it goes. :P Anyways, thanks for the quick patch. I'll try it tonight and write back if I have any problems. -- Isaac Freeman - Systems Administrator IBM SmartCloud Managed Backup [email protected] 919-254-0245 From: Roland Gruber <[email protected]> To: [email protected], Date: 01/24/2013 05:21 PM Subject: Re: [Lam-public] Cookie injection? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Isaac, On 24.01.2013 17:40, Isaac Freeman wrote: > Anyways, the security team points out that even though the cookie > isn't actually injected, the <script> tags from the URL do find > themselves in the resulting HTML in the <form> tag, and that this > is a vulnerability which needs to be fixed. Any idea what I can do > on my end to fix that, or will it require fixing the LAM code > itself? If so, is there any chance it could be patched? I'll be > happy to file a detailed bug if requested. there is no need to panic. Of course, you will get a fast fix if there is really a security problem. As I understand there is NO cookie injection. I will send you a patch for the URL parameter injection off-list. There will be an official patch the next few days. About XSS attacks: this requires that an attacker provides a link (e.g. via email) to the victim user and he clicks it. Then there can be malicious Java Script code that is executed in the victims browser. This is a client-only attack, no direct attacks on the server are possible. Please let me know if your security team finds other potential leaks. Best regards Roland -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlEBs4kACgkQq/ywNCsrGZ4P2QCffZ6VIGjKUAuaLRwHs2+Vsb4I 6csAnjvwh8UTMEJx2iciaWTHwQr78Z6h =L+CP -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d _______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
<<inline: graycol.gif>>
------------------------------------------------------------------------------ Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft MVPs and experts. ON SALE this month only -- learn more at: http://p.sf.net/sfu/learnnow-d2d
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
