Multiple Cross-site Scripting Vulnerabilities
Created by: Lester Caine, Last modification: 10 Dec 2008 (08:23 UTC)
This report has been duplicated across several sites, some of which to not list the reported pages. The Secunia report has a list of pages that can be tested and these are all now handled correctly
bitweaver Multiple Cross-Site Scripting Vulnerabilities
Secunia Advisory: SA32014
Example of exploit:
(:exclaim:) A suitable example of that was used to test would be nice ... <script>alert('hi!');</script> is being used for test purposes.
Since the upgrades to script processing also prevent the creation of persistent XSS attacks, the above script can not be stored within this page, and so will need to be added manually to the navigation line on your browser. This will be returned with the tag characters converted to %xx equivalents.
As the problem has been addressed within the core processing of bitweaver, it is not anticipated that other pages would not be processed in the same way.
An alternative test strategy may be appropriate, but this should show that problems have been addressed.
bitweaver Multiple Cross-Site Scripting Vulnerabilities
Secunia Advisory: SA32014
Example of exploit:
(:exclaim:) A suitable example of that was used to test would be nice ... <script>alert('hi!');</script> is being used for test purposes.
Since the upgrades to script processing also prevent the creation of persistent XSS attacks, the above script can not be stored within this page, and so will need to be added manually to the navigation line on your browser. This will be returned with the tag characters converted to %xx equivalents.
As the problem has been addressed within the core processing of bitweaver, it is not anticipated that other pages would not be processed in the same way.
- articles/edit.php
- articles/list.php
- blogs/list_blogs.php
- blogs/rankings.php
- calendar/index.php
- events/calendar.php
- events/index.php
- events/list_events.php
- fisheye/index.php
- fisheye/list_galleries.php
- liberty/list_content.php
- newsletters/edition.php
- pigeonholes/list.php
- recommends/index.php
- rss/index.php
- stars/index.php
- users/remind_password.php
- wiki/orphan_pages.php
- stats/index.php
An alternative test strategy may be appropriate, but this should show that problems have been addressed.