[Imc-bristol-tech] hidden 300088 - cross site scripting exploit
mmmark at talk21.com
Tue Oct 26 02:50:15 PDT 2004
I am currently working on the fixes for this exploit
and will test them on the mirror site before adding
them to the live code.
--- Space Bunny <lists at j12.org> wrote:
> 300088 was hidden on imcuk as it contains an attempt
> to redirect our
> viewers to another site using this 'cross site
> exploit' (xss)
> It failed due to addition of encodeHTML function to
> templates which
> protected viewer by escaping HTML.
> an audit of all MIR templates is needed to check if
> anything similar
> could slip through to any of pages, as can appear in
> several places.
> if you want to learn more on how to help indymedia
> maintain it websites
> pop by Internet Relay Chat irc.indymedia org #uk or
> #tech and offer to
> help and learn, it may be a slow process of
> referring to docs and back
> and forth q and a and just trying to do stuff, but
> it is worth us
> skillsharing. I would rather spend time showing
> others who to do stuff
> then do it all myself.
> Further to this:
> hidden by someone other then me:
> More on xss and dadaimc see:
> People can help by checking out imc sites running
> dadaimc cms maybe
> admins of sites, maybe
> even votes such attempts out of newswires. I have
> attempted to patch
> indymedia scotland.
> It seems most imcs running dadaimc in US were hit.
> Those that found this exploit are promising to use a
> sql injection
> exploit, which mean they may be able to add
> themselves as admin user. So
> one is advise to dump mysqldb and keep copy of site.
> As bristol
> automatic scheduled tasks (cron jobs) seem not set
> I am guess this is not happening automatically for
> More info on mysqldump at:
> Space Bunny
> Imc-bristol-tech mailing list
> Imc-bristol-tech at lists.indymedia.org
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com
More information about the Imc-bristol-tech