Email Archive: blosxom-users (read-only)
|
[Blosxom-users] Blosxom 2.1.2 fixes a cross-site scripting (XSS)
issue
From: Axel Beckert <abe@de...> - 2008-10-02 16:18
|
|
====================== Blosxom 2.1.2 released ====================== Blosxom 2.1.2 has been released and fixes a cross-site scripting (XSS) flaw which allowed malicious users to inject HTML and JavaScript code into Blosxom's error page and possibly also the output of some plugins and non-default templates. You can download the Blosxom 2.1.2 tarball [1] at SourceForge. [1] http://sourceforge.net/project/showfiles.php?group_id=148044&package_id=163216&release_id=630149 Additionally there will be updated Debian packages of Blosxom [2] for Debian Etch (4.0), Lenny (5.0) and Sid (unstable). [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500873 We recommend all Blosxom users, especially those who use plugins for web based editing of blog posts or comments, to upgrade to version 2.1.2 or a patched version offered by your favourite distributor. If you can't upgrade your installation, the recommended workaround is to remove all occurrences of "$flavour" in the "error head" template near the end of blosxom.cgi. The flaw has been assigend the CVE ID CVE-2008-2236 [3] and the JVN id 03300113 [4]. It has been reported by Yoshinori Ohta of Business Architects Inc. and is present in all previous 2.x versions of Blosxom including those from the no more up-to-date blosxom.com site. [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2236 [4] http://jvn.jp/en/jp/JVN03300113/index.html (Those pages should be available soon.) Axel Beckert, for the Blosxom developers -- /~\ | Axel Beckert \ / Plain Text Ribbon Campaign | abe@de... (Mail) X Say No to HTML in E-Mail and News | abe@no... (Mail+Jabber) / \ | http://noone.org/abe/ (Web) |
Thread View
| Thread | Author | Date |
|---|---|---|
| [Blosxom-users] Blosxom 2.1.2 fixes a cross-site scripting (XSS) issue | Axel Beckert <abe@de...> |
About SourceForge
Develop Software
Community
Copyright © 2010 Geeknet, Inc. All rights reserved. Terms of Use
