Antti-Juhani Kaijanaho

THIS BLOG IS OBSOLETE - NEW BLOG AT /newblog/

en/programming/blosxom-comments-vulnerability.txt

2004-06-25

[SECURITY] Blosxom comments plugin cross-site scripting vulnerability [patch]

I only recently found out about the now weeks-old cross-site scripting vulnerability in Blosxom writeback plugin. Since the comments plugin, which I use, is based on the writeback plugin, it was logical to assume that it would also be vulnerable, and it is.

I adapted KyleM.xwell's patch for comments; here is the adapted patch. It works for me, but as always, there is no warranty, not even the implied warranty that the patch patches the vulnerability.

Update: Note that the patch only filters new comments; you need to manually check your existing comment base.

14:48 - /en/programming - 2 comments