Fwd: [Secunia] - Cross-Site Scripting Vulnerability in Newscoop - Newscoop Development Discussions on Sourcefabric Forum

Sava Tatić

--sent from a sofab Android
http://Sourcefabric.org
---------- Forwarded message ----------
From: "Secunia" <vuln@secunia.com>
Date: Feb 2, 2011 10:12 AM
Subject: [Secunia] - Cross-Site Scripting Vulnerability in Newscoop
To: <contact@sourcefabric.org>
Cc: <vuln@secunia.com>

Hello,

A third party researcher has discovered a vulnerability in
Newscoop, which can be exploited by malicious people to conduct
cross-site scripting attacks

We have confirmed the vulnerability in version 3.5.0 and are
contacting you to attempt a coordinated disclosure. We have reserved
Secunia Advisory SA43152 and set a preliminary release date of February
16th, 2011 for the publication of our advisory.

Please provide us with the contact details of your security team so we
can provide the vulnerability details.

Kind regards,
--

Tiago Seco
Junior Security Specialist

Secunia
Weidekampsgade 14 A
DK-2300 Copenhagen S
Denmark

Phone +45 7020 5144
Fax +45 7020 5145

Ofir Gal

I've tested this and we fixed major vulnerability issues on V3.5GA that were still existing on V3.5RC.

We need to see what they are talking about.

Andrey Podshivalov

In addition I'd like to inform that Newscoop has administration session cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It prevents a session grabbing via any injected code - javascript has no access to session information.

Mugur Rus

The latest cross scripting vulnerability was on the frontend, not admin: a
reader could write comments that contain Javascript code - this was fixed in
3.5.0. The same possibility exists for the subscriber data form - this was
not updated yet to filter out Javascript. The problem is minor though, I
never heard of any site using the template based subscriber form to allow
their readers to update personal data.

Mugur Rus
Senior Software Developer, Sourcefabric
mugur.rus@sourcefabric.org

Cluj-Napoca, Romania
+40 (0)720 528408
Skype: mugur_rus

http://www.sourcefabric.org
http://www.twitter.com/Sourcefabric

On Wed, Feb 2, 2011 at 8:58 PM, Andrey Podshivalov <
newscoop-dev@lists.sourcefabric.org> wrote:

> I addition I'd like to inform that Newscoop has administration session
> cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
> prevents a session grabbing via any injected code - javascript has no access
> to session information.
>

Holman Romero

True, as Ofir said... there was an XSS problem re: Comments, Ofir
reported it... and while fixing it I found a couple more, also fixed.
One more was fixed by Martin and I think he also fixed the problem
with Subscribers Mugur is mentioning.

On Wed, Feb 2, 2011 at 8:04 PM, Mugur Rus
<newscoop-dev@lists.sourcefabric.org> wrote:
>
> The latest cross scripting vulnerability was on the frontend, not admin: a
> reader could write comments that contain Javascript code - this was fixed in
> 3.5.0. The same possibility exists for the subscriber data form - this was
> not updated yet to filter out Javascript. The problem is minor though, I
> never heard of any site using the template based subscriber form to allow
> their readers to update personal data.
>
> Mugur Rus
> Senior Software Developer, Sourcefabric
> mugur.rus@sourcefabric.org
>
> Cluj-Napoca, Romania
> +40 (0)720 528408
> Skype: mugur_rus
>
> http://www.sourcefabric.org
> http://www.twitter.com/Sourcefabric
>
>
>
> On Wed, Feb 2, 2011 at 8:58 PM, Andrey Podshivalov <
> newscoop-dev@lists.sourcefabric.org> wrote:
>
> > I addition I'd like to inform that Newscoop has administration session
> > cookies with HTTPOnly parameter (was introduced in 3.4.2 release). It
> > prevents a session grabbing via any injected code - javascript has no access
> > to session information.
> >
>
>

--
Holman Romero
Senior Software Engineer, Sourcefabric
holman.romero@sourcefabric.org

Salvátorská 10
110 00 Praha 1, Czech Republic
+420 608910633

http://www.sourcefabric.org

Howdy, Stranger!

Categories

Poll

Top Posters