[pLog-svn] Lifetype 1.2.8 ...

Mark Wu markplace at gmail.com
Sun May 4 06:56:56 EDT 2008 

As I said in previous post, I don't think it is an issue for us, because
user get his own cookie does not hurt anything.

But, it is really better to escape the html special characters in
$searchTerms, it can prevent those characters break the admin layout.

Mark

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Jon Daley
> Sent: Sunday, May 04, 2008 6:04 PM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Lifetype 1.2.8 ...
> 
> On Sun, 4 May 2008, Mark Wu wrote:
> > For 6435, you can try to revert the code first, then try to search 
> > your article category with a keyword that you don't have, 
> for example 'abc'.
> >
> > Do you see the different? So, I say it is a more serious 
> bug. Because 
> > it can show other article categories...
>  	Ok, I see it.  But I wouldn't call it "serious", since 
> the person can't do anything with the other categories - ie. 
> if he clicks on them it shows an error.  Definitely a bug, 
> just not a needs-to-be-released-today sort of bug.
> 
> > For 6436 & 6437, Just fix the XSS you reported in svn.
>  	I didn't understand the code that the guy was showing.
> 
> Can't his exploit be more simply written:
> 
> <body onLoad=javascript:document.form.lala.value=document.cookie>
> <form name="form">
>   <input type="text" name="lala" value=""> </form> </body>
> 
> I am not sure where the security issue is.  A user can see 
> his own cookie, which he could also do by viewing his cookies 
> in his browser.  And this can't be prevented by server side code.
> 
> I had originally assumed this meant the user could get data 
> that he didn't already have, or that the data could be sent 
> to someone else, but I no longer see how that is the case.  
> If he can get you to send that data to some other web page 
> that would be more interesting.  Or perhaps he is saying that 
> the cookie data ends up in the search terms, so then the 
> content would be in a log somewhere?
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list