<<< /en/programming

Antti-Juhani Kaijanaho: [SECURITY] Blosxom comments plugin cross-site scripting vulnerability [patch]

I only recently found out about the now weeks-old cross-site scripting vulnerability in Blosxom writeback plugin. Since the comments plugin, which I use, is based on the writeback plugin, it was logical to assume that it would also be vulnerable, and it is.

I adapted KyleM.xwell's patch for comments; here is the adapted patch. It works for me, but as always, there is no warranty, not even the implied warranty that the patch patches the vulnerability.

Update: Note that the patch only filters new comments; you need to manually check your existing comment base.

2004-06-25T14:48+0300 - /en/programming


Trackback url: http://antti-juhani.kaijanaho.info/blog/en/programming/blosxom-comments-vulnerability.trackback (trackback on rikki / trackback is broken)

Re: LARL parsing is sooo fun

Have you tried spark? It's a python parser, but is neither left or right associative, you can do productions like "exp := exp + exp" and it will deal with it. I don't know exactly how. (But it works!) They've got papers explaining how it works if you care that much ;)

http://pages.cpsc.ucalgary.ca/~aycock/spark/

- Perry Lorier, to, 06 touko  2004 05:26

Re: LALR parsing is sooo fun

Apparently Spark uses Earley's algorithm, which is much more powerful than the usual LL(1) or LALR(1). Interestingly, recent Bison versions allow the use of GLR, an algorithm of similar parsing power to Earley's algorithm.

- Antti-Juhani Kaijanaho, to, 06 touko  2004 11:07

Re: [SECURITY] Blosxom comments plugin cross-site scripting vulnerability [patch]

But this patch would make non-western charactor mad....Like Chinese, maybe Japanese and Korean as well. Have any idea?

- ykhuang, to, 08 heinä  2004 09:26

Re: [SECURITY] Blosxom comments plugin cross-site scripting vulnerability [patch]

I don't immediately see how it would adversely affect Chinese and Japanese writing. Can you elaborate?

- Antti-Juhani Kaijanaho, to, 08 heinä  2004 14:11

Your Comment