Hello Turbo, On Tue, 2006-08-22 at 07:52 +0200, Turbo Fredriksson wrote: > Since I'm both the upstream and Debian GNU/Linux maintainer, I'd > very much like to fix this. > > What do I need to do? I can understand 'cross site scripting' and > why it should be a security problem... > > I don't _execute_ anything... ?!? Please advice.
What the program currently does, is allow random people to pass data into it which is then output *unescaped* to the browser again. This means that one can include all kinds of HTML and JavaScript into it. An attack vector is to trick e.g. an admin using the system into going to some URL with such data encoded. The data could contain JavaScript that is executed in the security context of the browser - e.g. sends the login cookie to the attacker. Tricking a user in following such a crafted URL can be done by e.g. redirecting from something looking harmless. In general, you must not allow users to output random data to the screen without escaping it, especially not via GET parameters. When using PHP, the best solution is to use htmlspecialchars() on any output everywhere, except when completely trusted already (but be careful with the latter). I hope this is clear. It does need some refactoring of your package I'm afraid. The web is full with documentation on this issue. Good luck! Thijs
signature.asc
Description: This is a digitally signed message part
