[Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2

[Mikael Nordfeldth]

Hi all, I'm the maintainer of GNU social. Feel free to download my
attached public OpenPGP key if you think it might be of use in the future.

I wish to announce that a GNU social XSS vulnerability was discovered in
the Bookmark plugin, which is enabled by default. I have not asked
whether I can name the person who found the issue, but will give proper
attribution if this person would like that.


Affects: GNU social master repository up until commit #048af5a.
Also affects: StatusNet, all versions (since Bookmark plugin).

Reason: There was no proper check on the input value of the Bookmark
URL, making it possible to enter a value such as
'javascript:alert("Resistance is futile!")'.

Severity: Reasonably, this would require a user to click the link rather
than have anything automatically execute. Should this be a bad
assumption from my side, please voice it on this list and to whomever
may need that info.

Fix: I patched this in commit 39b5e08 visible at
https://gitorious.org/social/mainline/commit/39b5e08d44e22cd3ecd3bf3ba9011ba4944a9c4b
and can easily be applied by hand to StatusNet code.


The resulting source update bumped the version number to 1.1.2-alpha1,
since I figure that might get people to update quicker.

Standard update procedure applies, though no database changes have been
applied lately:
# Stop daemons if you're running them.
# git pull
# php scripts/upgrade.php
# Start daemons.
# Live long and prosper.

-- 
Mikael Nordfeldth
http://blog.mmn-o.se/
XMPP/mail: address@hidden

0xB52E9B31.asc
Description: application/pgp-keys

signature.asc
Description: OpenPGP digital signature