[Imc-bristol-tech] hidden 300088 - cross site scripting exploit
mmmark
mmmark at talk21.com
Tue Oct 26 02:50:15 PDT 2004
I am currently working on the fixes for this exploit
and will test them on the mirror site before adding
them to the live code.
m
--- Space Bunny <lists at j12.org> wrote:
> 300088 was hidden on imcuk as it contains an attempt
> to redirect our
> viewers to another site using this 'cross site
> exploit' (xss)
>
> indymedia.org.uk/en/2004/10/300088.html
>
> It failed due to addition of encodeHTML function to
> templates which
> protected viewer by escaping HTML.
>
> an audit of all MIR templates is needed to check if
> anything similar
> could slip through to any of pages, as can appear in
> several places.
>
> if you want to learn more on how to help indymedia
> maintain it websites
> pop by Internet Relay Chat irc.indymedia org #uk or
> #tech and offer to
> help and learn, it may be a slow process of
> referring to docs and back
> and forth q and a and just trying to do stuff, but
> it is worth us
> skillsharing. I would rather spend time showing
> others who to do stuff
> then do it all myself.
>
> Further to this:
> hidden by someone other then me:
> http://www.indymedia.org.uk/en/2004/10/300013.html
>
> More on xss and dadaimc see:
> http://dadaimc.org/support.php?section=xss
>
> People can help by checking out imc sites running
> dadaimc cms maybe
> turning of flash, javascript, and trying to alert
> admins of sites, maybe
> even votes such attempts out of newswires. I have
> attempted to patch
> indymedia scotland.
> It seems most imcs running dadaimc in US were hit.
> Those that found this exploit are promising to use a
> sql injection
> exploit, which mean they may be able to add
> themselves as admin user. So
> one is advise to dump mysqldb and keep copy of site.
> As bristol
> automatic scheduled tasks (cron jobs) seem not set
> up:
>
http://lists.indymedia.org/pipermail/imc-bristol-tech/2004-July/0718-e9.html
> I am guess this is not happening automatically for
> them.
> More info on mysqldump at:
>
http://docs.indymedia.org/view/Local/ImcScotlandMaintenance
>
> cheers,
>
> Space Bunny
>
> --
> --
> http://j12.org/sb/
>
> _______________________________________________
> Imc-bristol-tech mailing list
> Imc-bristol-tech at lists.indymedia.org
>
http://lists.indymedia.org/mailman/listinfo/imc-bristol-tech
>
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
More information about the Imc-bristol-tech
mailing list