| To: | bugtraq@securityfocus.com |
|---|---|
| Subject: | Mephisto blog is vulnerable to XSS |
| From: | Sergey Tikhonov <st@haqu.net> |
| Date: | Sun, 25 Mar 2007 12:52:39 +0700 |
| Delivered-to: | sp-com-lists@consult.net |
| Delivered-to: | bugtraq-list@securepoint.com |
| Delivered-to: | mailing list bugtraq@securityfocus.com |
| Delivered-to: | moderator for bugtraq@securityfocus.com |
| List-help: | <mailto:bugtraq-help@securityfocus.com> |
| List-id: | <bugtraq.list-id.securityfocus.com> |
| List-post: | <mailto:bugtraq@securityfocus.com> |
| List-subscribe: | <mailto:bugtraq-subscribe@securityfocus.com> |
| List-unsubscribe: | <mailto:bugtraq-unsubscribe@securityfocus.com> |
| Mailing-list: | contact bugtraq-help@securityfocus.com; run by ezmlm |
Hello everyone!Current bleeding-edge version of Mephisto blog is vulnerable to XSS. Comment's author name accept javascript code. If admin approves/ rejects comments manually, he have to load all unapproved comments, so it's possible to fetch his session id. ExampleAdd new comment with the following author name: <script>alert (document.cookie)</script> Then from admin's overview section check this comment - you'll see message with cookie. If you manually approve your comments, check list of pending comments. How to fix it patch for <approot>/app/helpers/application_helper.rb : 5c5 < return comment.author if comment.author_url.blank? --- > return h(comment.author) if comment.author_url.blank? Best wishes! Sergey Tikhonov |
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| ||
| Previous by Date: | Horde Webmail Multiple HTML Injection vulnerability, DoZ |
|---|---|
| Next by Date: | Fizzle : Firefox Extension Vulnerability, CrYpTiC MauleR |
| Previous by Thread: | Horde Webmail Multiple HTML Injection vulnerability, DoZ |
| Next by Thread: | Fizzle : Firefox Extension Vulnerability, CrYpTiC MauleR |
| Indexes: | [Date] [Thread] [Top] [All Lists] |