OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] CVE-2012-2381: Apache Roller Cross-Site-Scripting (XSS) vulnerability

From: Dave (snoopdavegmail.com)
Date: Sun Jun 24 2012 - 12:03:27 CDT


Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
Roller 4.0.0 to Roller 4.0.1
Roller 5.0
The unsupported Roller 3.1 release is also affected

Description:
Roller trusts bloggers to post HTML and JavaScript code in the weblog
and for some sites this can be a problem because users are untrusted
and could post malicious code and exploit XSS. This issue has be
addressed by added a new configiration property weblogAdminsUntrusted
flag that, when set to 'true' will cause all weblog content to be HTML
sanitized.

Mitigation
Roller 4.0 and 4.0.1 users should upgrade to Roller 5.0.1
Roller 5.0 users should upgrade to Roller 5.0.1
Roller 3.1 users should upgrade to Roller 5.0.1

Credit:
This issue was discovered by Jun Zhu, PhD student, University of North
Carolina, Charlotte

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/