In the search for XSS holes in Scoop after the k5 hack of several weeks
ago, a few other XSS vulnerabilities in Scoop turned up affecting the
"count" parameter to search, and vulnerabilities in /story and /addtag.
If you upgrade to the latest CVS, these issues are fixed, but you need
to upgrade three boxes known to have problems:
(from the file UPGRADING-TO-1.1.8.txt)
------------------------
comment_controls
addtag
tag_listing
For comment_controls, add these lines right below where $sid, $cid,
$pid, and $qid are defined:
$sid = $S->filter_param($sid);
$pid = $S->filter_param($pid);
$cid = $S->filter_param($cid);
$qid = $S->filter_param($qid);
Add them below these lines:
my $sid = $S->{CGI}->param('sid');
my $pid = $S->{CGI}->param('pid');
my $cid = $S->{CGI}->param('cid');
my $qid = $S->{CGI}->param('qid');
For addtag and tag_listing, add this line:
$sid = $S->filter_param($sid);
below this one:
my $sid = $S->cgi->param('sid');
----------------------
I went through all the other boxes that took user input, and tested all
the ops in a default installation, but found nothing else that triggered
XSS exploits.
I'm sending this email out to the scoop-help and scoop-dev lists so
everyone has a chance to get upgraded before the public announcement and
release of Scoop 1.1.8, which will be the announced security fix
release. In one week from sending this email out, I'll publically
announce the problem, the fix, the detailed explaination, and urge
everyone to upgrade.
-j
----------------------------------------------
/* You are not expected to understand this. */
Captain_Tenille
http://www.satanosphere.com/
http://www.kuro5hin.org/
jeremy at satanosphere.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.kuro5hin.org/pipermail/scoop-help/attachments/20060805/60962d63/attachment.bin