On Tue, Dec 27, 2005 at 11:19:36PM +0100, Thijs Kinkhorst wrote:
> Hello Moritz,
>
> On Sat, December 24, 2005 16:02, Moritz Muehlenhoff wrote:
> > The mentioned path disclosure is obviously not a problem, but does
> > the described XSS issue have real-world security implications?
>
> Sorry for not getting back to you earlier, this is due to the holidays.
> Hope you had a nice time.
>
> I have not yet tested the code, however, if it works, it's a real-world
> xss problem. But, from a first look it seems to require 'Allow HTML' to be
> turned on. This is turned off by default on Debian and we warn in every
> possible flashy way about not turning this on unless your environment is
> completly trusted.
>
> I'll try to confirm this soon, but if it's the case that this can only be
> exploited with 'Allow HTML' on, I'm inclined not to fix it for sarge. We
> will fix it for sid in that case of course.
I agree with Thijs' assassment here. A very similar issue came up before
sarge was released, which I decided at that time (2.0.13(+1)-5,
corresponding to upstream's 2.0.14 security updates) to solve by adding
the above-mentioned flashy (though non-shockwave) warning -- phpBB
doesn't have adequate support for filtering HTML into something
XSS-safe, and never has, and it does have a reasonable adequate
alternative ("bbcode"), so the feature is labeled as 'for internal,
trusted-users-only user', and defaults to off.
The actual text of the warning is:
| Warning: enabling this will always expose your users to cross-site
| scripting, use only in fully trusted environments
Security team, if you wish, you can add CVE-2005-4357 to the list of
non-vulns, or wontfix, security issues, whatever is most appropriate.
Thanks,
--Jeroen
--
Jeroen van Wolffelaar
[EMAIL PROTECTED]
http://jeroen.A-Eskwadraat.nl
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
