[Savane-dev] [bugs #1937] xss

Sat, 11 Dec 2004 04:03:09 -0800 

This is an automated notification sent by Gna!.
It relates to:
                bugs #1937, project Savane

==============================================================================
 LATEST MODIFICATIONS of bugs #1937:
==============================================================================

               Posted by: an anonymous user
               Posted on: 2004-12-11 12:53 ()
    _______________________________________________________

Follow-up Comment:
Please make sure it does not break anything else. 



I'm aware of such "vulnerabilities" (well, one should first forge the URL and
go to this forged url). I'd rather like see a real exploit demo than just
always this "bla bla cross site script possible". The fact is that PHP does
not allow to add checks everything that does not involve serious breakage of
others things depending on the configuration. In other words, fix on this kind
of things should be checked and rechecked in order to avoid breaking real
stuff just to avoid potential issue that no one has already  been able to
exploit maliciously.



Mathieu (non logged in, at BNUS, where network is pure crap).



==============================================================================
 OVERVIEW of bugs #1937:
==============================================================================

URL:
  <http://gna.org/bugs/?func=detailitem&item_id=1937>

                 Summary: xss
                 Project: Savane
            Submitted by: beuc
            Submitted on: ven 10.12.2004 � 20:50
                Category: Web Frontend
                Severity: 3 - Average
                Priority: E - Immediate
                  Status: Fixed
                 Privacy: Public
             Assigned to: beuc
             Open/Closed: Closed
                 Release: 
         Planned Release: 

    _______________________________________________________


http://lists.gnu.org/archive/html/savannah-hackers/2004-12/msg00283.html

shows 2 xss in Savane. I'm gonna add 2 htmlspecialchars().

    _______________________________________________________

Follow-up Comments:


-------------------------------------------------------
Date: sam 11.12.2004 � 12:53        By: Anonymous
Please make sure it does not break anything else. 



I'm aware of such "vulnerabilities" (well, one should first forge the URL and
go to this forged url). I'd rather like see a real exploit demo than just
always this "bla bla cross site script possible". The fact is that PHP does
not allow to add checks everything that does not involve serious breakage of
others things depending on the configuration. In other words, fix on this kind
of things should be checked and rechecked in order to avoid breaking real
stuff just to avoid potential issue that no one has already  been able to
exploit maliciously.



Mathieu (non logged in, at BNUS, where network is pure crap).



-------------------------------------------------------
Date: ven 10.12.2004 � 20:56        By: Sylvain Beucler <beuc>
Done.








==============================================================================

This item URL is:
  <http://gna.org/bugs/?func=detailitem&item_id=1937>

_______________________________________________
  Message post� via/par Gna!
  http://gna.org/


_______________________________________________
Savane-dev mailing list
[EMAIL PROTECTED]
https://mail.gna.org/listinfo/savane-dev

Reply via email to