posted by Anonymous on 13-Feb-2004 10:02:31 (1741 reads)
This has now been patched on the main site and Kent has also been advised of what is needed. That is at least for the exploits we have managed to find Hopefully if theres more we will get testcases shared to find it.
Thanks also to Orgin.
Due to security concerns over the "lastposts" moduleset raised by Kent over amiga.org we had temporarily suspended them.
We, with a hint from Kent about the kind of problems he was seeing on Xoops.org, figured out what the defect was and Xoops developers need to SAFE or ESCAPE the results of the query used by lastposts modules to avoid scripts being run on the client box when the page is generated and viewed.
So far this fix is looking pretty solid, I haven't been able to hack into the DB yet with it installed. I'm going to work on updating the code to current and make it a bit more configurable if I can. Thanks for the help on this.
Re: LastPosts temporarily unavailable Posted on 13-Feb-2004 22:58:39