In every web page rendered in project open, it includes some .js ( java script ) files. Now while scanning this application for the vulnerabilities, I came across this one which I'm unable to solve currently.
Issues are related to variables like password,username,token_id,return_url,__refresh_p, __confirm_p.
please help me to address this issue. Whether a filter will do fine or is there any other solution.
And also let me know if the you have any doubts and want to know more about these issues.
Thanks In Advance!!
Vijay
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We have just had a security testing from a specialized Washington company that usually works for the military. They've found several issues, but none of them critical, and none of them related to CSS. All of these issues are fixed in CVS HEAD, plus we fixed >100 occurrences of "unsafe programming style".
So:
You talk about CSS issues. Could you please specify? Please create a new forum threa with "Security" in the title and upload the test reports. I would be happy to get in charge of dealing with these issues if they are relevant.
The fixed security issues were not critical. They are very difficult to identify and - as far as we have analyzed - even more difficult to exploit. So there is no immediate need to upgrade from V4.0.x to V4.1.
Having said that: There are critical issues in V3.4 and V3.5 that we have posted in the SourceForge "News" section. Please make sure you don't run these versions anymore. Their issues are easily exploitable.
Cheers!
Frank
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thank you so much for the reply Frank.
It meant a lot to me.
Currently I'm using version 4.0.5
I've posted the issues in detail by asking new question. https://sourceforge.net/p/project-open/discussion/295937/thread/fa59375d/ here. please check them out and let me know if any more details are needed.
Regards,
Vijay
Last edit: vijay 2014-06-11
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In every web page rendered in project open, it includes some .js ( java script ) files. Now while scanning this application for the vulnerabilities, I came across this one which I'm unable to solve currently.
Issues are related to variables like password,username,token_id,return_url,__refresh_p, __confirm_p.
please help me to address this issue. Whether a filter will do fine or is there any other solution.
And also let me know if the you have any doubts and want to know more about these issues.
Thanks In Advance!!
Vijay
Vijay,
Does this vulnerability still show up when removing the "Register" link?
With version 4.1 (available from CVS HEAD) we have addressed all known CSS issues. We will soon release additional information.
./k
Thank you so much for the reply.
but it will take a while to make it a stable update, till then is there any way I can avoid
these security issues?
Regards,
Vijay
Hi Vijay,
We have just had a security testing from a specialized Washington company that usually works for the military. They've found several issues, but none of them critical, and none of them related to CSS. All of these issues are fixed in CVS HEAD, plus we fixed >100 occurrences of "unsafe programming style".
So:
Cheers!
Frank
Thank you so much for the reply Frank.
It meant a lot to me.
Currently I'm using version 4.0.5
I've posted the issues in detail by asking new question.
https://sourceforge.net/p/project-open/discussion/295937/thread/fa59375d/here. please check them out and let me know if any more details are needed.Regards,
Vijay
Last edit: vijay 2014-06-11