| @@ -161,7 +161,7 @@ |
| ! Report: Multiple XSS
|
| The report named ''Multiple Cross-site Scripting Vulnerabilities'' has been duplicated across several sites, some of which do not list the concerned pages. The Secunia report has a list of pages that can be tested. In current versions of Bitweaver, __these security issues have been fixed.__ They are all now handled correctly. For the original report, see [http://secunia.com/advisories/32014|Secunia Advisory: SA32014]
|
|
|
| -To __test if an install is compromised by the exploit__, the string -+<script>alert('hi!');</script>+- can be used. Bitweaver version 2 and above prevent the creation of persistent XSS attacks, so the above script can not be stored within this page and will need to be added manually to the address bar of your browser. The string will be returned with the tag characters converted to %xx equivalents. Below is a list of PHP files of Bitweaver version 1.3 and below that are expected to be vulnerable to XSS-attacks. As the problem has been addressed within the ''core'' processing of Bitweaver, from version 2 on, these files ''and any other files, even if not listed here'', are now considered to be immune against this exploit.
|
| +To __test if an install is compromised by the exploit__, the string {code}<script>alert('hi!');</script>{/code} can be used. Bitweaver version 2 and above prevent the creation of persistent XSS attacks, so the above script can not be stored within this page and will need to be added manually to the address bar of your browser. The string will be returned with the tag characters converted to %xx equivalents. Below is a list of PHP files of Bitweaver version 1.3 and below that are expected to be vulnerable to XSS-attacks. As the problem has been addressed within the ''core'' processing of Bitweaver, from version 2 on, these files ''and any other files, even if not listed here'', are now considered to be immune against this exploit. |
|
|
| * [http://www.bitweaver.org/articles/edit.php/|articles/edit.php]
|
| * [http://www.bitweaver.org/articles/list.php/|articles/list.php]
|
|
|