roller-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dave <snoopd...@gmail.com>
Subject Re: XSS vulnerability in Roller 2.3.x ?
Date Sun, 14 Sep 2008 18:46:38 GMT
On Thu, Sep 11, 2008 at 8:04 AM,  <tim.fulcher@bt.com> wrote:
> I'm still running a site running Roller 2.3.1
> My customer seems to have found an issue whereby the search form on the
> blog page seems vulnerable to XSS attack :-(
>
> Just a few questions -
> 1 - Is this a known issue ?
> 2 - Can I do anything about it ?  I wrote a Tomcat Valve to strip out
> characters for another webapp but would this mess up Roller
> functionality ?
> 3 - Would migration to v3 or v4 fix the exploitation ?

We have fixed some XSS vulnerabilities since 2.3.1, but I would need
to know some specifics.

I will email you off-list for more info.

- Dave

Mime
View raw message