Mephisto blog is vulnerable to XSS

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Mephisto blog is vulnerable to XSS
From: Sergey Tikhonov <st@xxxxxxxx>
Date: Sun, 25 Mar 2007 12:52:39 +0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello everyone!

Current bleeding-edge version of Mephisto blog is vulnerable to XSS.Comment's author name accept javascript code. If admin approves/rejects comments manually, he have to load all unapproved comments,so it's possible to fetch his session id.


Example

Add new comment with the following author name: <script>alert(document.cookie)</script>Then from admin's overview section check this comment - you'll seemessage with cookie.

If you manually approve your comments, check list of pending comments.

How to fix it

patch for <approot>/app/helpers/application_helper.rb :

5c5
<     return comment.author if comment.author_url.blank?
---
>     return h(comment.author) if comment.author_url.blank?

Best wishes!
Sergey Tikhonov

Prev by Date: Horde Webmail Multiple HTML Injection vulnerability
Next by Date: Fizzle : Firefox Extension Vulnerability
Previous by thread: Re: Horde Webmail Multiple HTML Injection vulnerability
Next by thread: Fizzle : Firefox Extension Vulnerability
Index(es):
- Date
- Thread