[pLog-svn] xss in 1.2.7

Mark Wu markplace at gmail.com
Sat May 3 10:06:07 EDT 2008


Actually, it happened in every search term ...

The problem is .... Does it matter if user can get his own cookie? 

He can do the same thing with template editor ....

Mark
> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Saturday, May 03, 2008 9:33 PM
> To: plog at hugi.to; LifeType Developer List
> Subject: Re: [pLog-svn] xss in 1.2.7
> 
> On Sat, 3 May 2008, Reto Hugi wrote:
> >> http://www.securityfocus.com/archive/1/491550
> >
> > I noticed that too, just a minute ago. Looks like we've got 
> the same 
> > Google Alert ;)
>  	:)
> 
> > There are even more search fields around, that have no 
> filter. But for 
> > example admineditcommentsachtion is filtering the searchTerms.
> >
> > Will you have time to fix it or shall I do it? (I'm away for today, 
> > but could do it tomorrow).
>  	I think I probably shouldn't do lifetype stuff today, I 
> have been ignoring most of my other work.  I think what we 
> really need is an exhaustive search through all parameters, 
> rather than fixing them one at a time when someone else finds them.
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn



More information about the pLog-svn mailing list