[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2
From: |
Mikael Nordfeldth |
Subject: |
[Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2 |
Date: |
Sat, 25 Oct 2014 15:19:07 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.1.2 |
Hi all, I'm the maintainer of GNU social. Feel free to download my
attached public OpenPGP key if you think it might be of use in the future.
I wish to announce that a GNU social XSS vulnerability was discovered in
the Bookmark plugin, which is enabled by default. I have not asked
whether I can name the person who found the issue, but will give proper
attribution if this person would like that.
Affects: GNU social master repository up until commit #048af5a.
Also affects: StatusNet, all versions (since Bookmark plugin).
Reason: There was no proper check on the input value of the Bookmark
URL, making it possible to enter a value such as
'javascript:alert("Resistance is futile!")'.
Severity: Reasonably, this would require a user to click the link rather
than have anything automatically execute. Should this be a bad
assumption from my side, please voice it on this list and to whomever
may need that info.
Fix: I patched this in commit 39b5e08 visible at
https://gitorious.org/social/mainline/commit/39b5e08d44e22cd3ecd3bf3ba9011ba4944a9c4b
and can easily be applied by hand to StatusNet code.
The resulting source update bumped the version number to 1.1.2-alpha1,
since I figure that might get people to update quicker.
Standard update procedure applies, though no database changes have been
applied lately:
# Stop daemons if you're running them.
# git pull
# php scripts/upgrade.php
# Start daemons.
# Live long and prosper.
--
Mikael Nordfeldth
http://blog.mmn-o.se/
XMPP/mail: address@hidden
0xB52E9B31.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2,
Mikael Nordfeldth <=