[pLog-svn] Lifetype 1.2.8 ...

Reto Hugi plog at hugi.to
Sun May 4 07:54:27 EDT 2008 

I agree that r6435 is critical for the release, but I'd suggest we
release 1.2.8 because of the xss but.

Writing the cookie in the popup is not really the exploit that makes
this issue critical. It's a common way of doing PoC for XSS (like a
Hello World script).

I've already tried to explain earlier:
> If an attacker can trick you in clicking a link (e.g. he posts an
> article on his blog hosted by you, the admin) - he can easyly hijack
> your session and become admin.

Note that he can do about anything that can be done with javascript. But
he most likely will just do an XHR to his own server and logging the
session.

As the user needs to be logged in for the XSS to work, it's less
critical on a single user blog than on a blog hosting community, where
users tend to visit other blogs while beeing logged in.

Second: People don't really care how serious the XSS really is. We will
be measured on how fast we can publish the fix for this full disclosure.
That's why I'd release it today.

Do you guys agree? (I'll start writing the announcement. If it's not
used today, it's already done by the time we release it :)

reto

On 05/04/2008 12:04 PM, Jon Daley wrote:
> On Sun, 4 May 2008, Mark Wu wrote:
>> For 6435, you can try to revert the code first, then try to search your
>> article category with a keyword that you don't have, for example 'abc'.
>>
>> Do you see the different? So, I say it is a more serious bug. Because it can
>> show other article categories...
>  	Ok, I see it.  But I wouldn't call it "serious", since the person 
> can't do anything with the other categories - ie. if he clicks on them it 
> shows an error.  Definitely a bug, just not a needs-to-be-released-today 
> sort of bug.
> 
>> For 6436 & 6437, Just fix the XSS you reported in svn.
>  	I didn't understand the code that the guy was showing.
> 
> Can't his exploit be more simply written:
> 
> <body onLoad=javascript:document.form.lala.value=document.cookie>
> <form name="form">
>   <input type="text" name="lala" value="">
> </form>
> </body>
> 
> I am not sure where the security issue is.  A user can see his own cookie, 
> which he could also do by viewing his cookies in his browser.  And this 
> can't be prevented by server side code.
> 
> I had originally assumed this meant the user could get data that he 
> didn't already have, or that the data could be sent to someone else, but I 
> no longer see how that is the case.  If he can get you to send that data 
> to some other web page that would be more interesting.  Or perhaps he is 
> saying that the cookie data ends up in the search terms, so then the 
> content would be in a log somewhere?
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list