Fwd: [Secunia] - Cross-Site Scripting Vulnerability in Newscoop
  • Vote Up0Vote Down Sava TatićSava Tatić
    Posts: 113Member, Administrator, Sourcefabric Team
    --sent from a sofab Android
    http://Sourcefabric.org
    ---------- Forwarded message ----------
    From: "Secunia" <vuln@secunia.com>
    Date: Feb 2, 2011 10:12 AM
    Subject: [Secunia] - Cross-Site Scripting Vulnerability in Newscoop
    To: <contact@sourcefabric.org>
    Cc: <vuln@secunia.com>

    Hello,

    A third party researcher has discovered a vulnerability in
    Newscoop, which can be exploited by malicious people to conduct
    cross-site scripting attacks

    We have confirmed the vulnerability in version 3.5.0 and are
    contacting you to attempt a coordinated disclosure. We have reserved
    Secunia Advisory SA43152 and set a preliminary release date of February
    16th, 2011 for the publication of our advisory.

    Please provide us with the contact details of your security team so we
    can provide the vulnerability details.

    Kind regards,
    --

    Tiago Seco
    Junior Security Specialist

    Secunia
    Weidekampsgade 14 A
    DK-2300 Copenhagen S
    Denmark

    Phone +45 7020 5144
    Fax +45 7020 5145

  • 4 Comments sorted by
  • I've tested this and we fixed major vulnerability issues on V3.5GA that were still existing on V3.5RC.

    We need to see what they are talking about.



  • Vote Up0Vote Down Andrey PodshivalovAndrey Podshivalov
    Posts: 1,526Member, Administrator, Sourcefabric Team
    In addition I'd like to inform that Newscoop has administration session cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It prevents a session grabbing via any injected code - javascript has no access to session information.
  • The latest cross scripting vulnerability was on the frontend, not admin: a
    reader could write comments that contain Javascript code - this was fixed in
    3.5.0. The same possibility exists for the subscriber data form - this was
    not updated yet to filter out Javascript. The problem is minor though, I
    never heard of any site using the template based subscriber form to allow
    their readers to update personal data.

    Mugur Rus
    Senior Software Developer, Sourcefabric
    mugur.rus@sourcefabric.org

    Cluj-Napoca, Romania
    +40 (0)720 528408
    Skype: mugur_rus

    http://www.sourcefabric.org
    http://www.twitter.com/Sourcefabric



    On Wed, Feb 2, 2011 at 8:58 PM, Andrey Podshivalov <
    newscoop-dev@lists.sourcefabric.org> wrote:

    > I addition I'd like to inform that Newscoop has administration session
    > cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
    > prevents a session grabbing via any injected code - javascript has no access
    > to session information.
    >


  • True, as Ofir said... there was an XSS problem re: Comments, Ofir
    reported it... and while fixing it I found a couple more, also fixed.
    One more was fixed by Martin and I think he also fixed the problem
    with Subscribers Mugur is mentioning.



    On Wed, Feb 2, 2011 at 8:04 PM, Mugur Rus
    <newscoop-dev@lists.sourcefabric.org> wrote:
    >
    > The latest cross scripting vulnerability was on the frontend, not admin: a
    > reader could write comments that contain Javascript code - this was fixed in
    > 3.5.0. The same possibility exists for the subscriber data form - this was
    > not updated yet to filter out Javascript. The problem is minor though, I
    > never heard of any site using the template based subscriber form to allow
    > their readers to update personal data.
    >
    > Mugur Rus
    > Senior Software Developer, Sourcefabric
    > mugur.rus@sourcefabric.org
    >
    > Cluj-Napoca, Romania
    > +40 (0)720 528408
    > Skype: mugur_rus
    >
    > http://www.sourcefabric.org
    > http://www.twitter.com/Sourcefabric
    >
    >
    >
    > On Wed, Feb 2, 2011 at 8:58 PM, Andrey Podshivalov <
    > newscoop-dev@lists.sourcefabric.org> wrote:
    >
    > > I addition I'd like to inform that Newscoop has administration session
    > > cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
    > > prevents a session grabbing via any injected code - javascript has no access
    > > to session information.
    > >
    >
    >


    --
    Holman Romero
    Senior Software Engineer, Sourcefabric
    holman.romero@sourcefabric.org

    Salvátorská 10
    110 00 Praha 1, Czech Republic
    +420 608910633

    http://www.sourcefabric.org