|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Pebble 2.0.0 RC[1,2] XSS vulnerability
From: Paolo Perego (thesp0nge
gmail.com)
Date: Mon Oct 02 2006 - 03:09:06 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Software: Pebble
Version: 2.0.0 RC1 - 2.0.0 RC2
Author: Simon Brown
Homepage: http://pebble.sourceforge.net
Abstract
Pebble is a blogging system built upon java and XML. There is no
database to store the data into but just XML is used instead.
Description
Vulnerability: XSS vulnerability in "search" functionality. Query
string wasn't parsed for HTML and while printing it out for "Search
with google" link, the XSS can be done.
Workaround
Disable "Search with google" link in the user result page or, better,
update to the latest version in subversion.
History
Author contacted: 20 september
Author replyed: 20 september
Patch published in Subversion archive: 27 september
Disclaimer:
This advisory intended to be informational. No responsibility is taken
for its misuse.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]