Activity for Dirk Stoecker
-
Dirk Stoecker created ticket #848
XSS issue
-
That's only one possibility. I have some other ideas to maybe bring files to the server as well. Didn't test them throughout as they are much more complex. But it is safe to assume that a dedicated attacker will reach that goal on any non-trivial website.
-
I really wonder. The main trouble between you and me is that you have in my eyes a strange understanding of methods to ensure code quality, and then you're leaving obvious security related issues open for months, even years after I provided fixes for them. That's simply not understandable at all! As I already said above your mitigation does not help. It can easily circumvented! To do so I made an exploit which bypasses the policies: http://www.isfdb.org/cgi-bin/se.cgi?arg=%3Cscript+src%3D%22%2Fw...
-
A third issue in this page: Index: biblio/adv_search_results.py =================================================================== --- biblio/adv_search_results.py (Revision 551) +++ biblio/adv_search_results.py (Arbeitskopie) @@ -49,7 +49,7 @@ def results(self): self.parse_parameters() - PrintHeader("Advanced %s Search" % self.search_type) + PrintHeader("Advanced %s Search" % cgi.escape(self.search_type)) PrintNavbar('adv_search_results', 0, 0, 0, 0) self.set_search_type() self.process_terms()...
-
Proper formatted, no double encoding Index: sources/biblio/adv_search_results.py =================================================================== --- sources/biblio/adv_search_results.py (Revision 551) +++ sources/biblio/adv_search_results.py (Arbeitskopie) @@ -49,7 +49,7 @@ def results(self): self.parse_parameters() - PrintHeader("Advanced %s Search" % self.search_type) + PrintHeader("Advanced %s Search" % cgi.escape(self.search_type)) PrintNavbar('adv_search_results', 0, 0, 0, 0) self.set_search_type()...
-
Try again with proper formatting? addpub.py: print '<div id="HelpBox">' addpub.py- print '<b>Help on adding new publication records: </b>' addpub.py- print '<a href="http://%s/index.php/Help:Screen:AddPublication">Help:Screen:AddPublication</a><p>' % (WIKILOC) edit/addpub.py- print '</div>' The <p> is empty and should be stripped.
-
HelpBox uses empty <p>, causes HTML lint violation
-
You're mixing two things here: 1. The issues are bugs in any case and must be fixed 2. The security issue is mitigated by the CSP rules, so that it probably is not a major vulnerability. A possible way to exploit is to get a js-File onto the server and reference it. Then the CSP rules will no longer protect. That's also why I wrote "while mitigated the issue still exists". The CSP always is only a workaround, not a fix. It should not be possible from user side to inject valid HTML into the pages...
-
You're mixing two things here: The issues are bugs in any case and must be fixed The security issue is mitigated by the CSP rules, so that it probably is not a major vulnerability. A possible way to exploit is to get a js-File onto the server and reference it. Then the CSP rules will no longer protect. That's also why I wrote "while mitigated the issue still exists". The CSP always is only a workaround, not a fix. It should not be possible from user side to inject valid HTML into the pages!
-
isfdb.org Cross Site Scripting vulnerability
-
isfdb Cross Site Scripting vulnerability | OBB-1330131
-
isfdb.org Cross Site Scripting vulnerability | OBB-555717
-
isfdb.org Cross Site Scripting vulnerability | OBB-331317
-
Do not display translations • Do not display variants or translations ignores covers
-
Endless loop of rua-mails
-
Why do you need that module? Why is there a fallback to root domain at all? That...
-
Add patch
-
A commandline argument is size limited and already gets unusable after a few entries...
-
P.S. I'm talking about the rua-reports. I don't have ruf's enabled and maybe they...
-
That's nice, but not really a solution to this issue.
-
OpenDMARC sends report to unauthorized domains
-
Allow to block outgoing email
-
Domain database case depends on first entry
-
Duplicate E-Mail due to strange dmarc entry
-
Probably. These are default settings of mariadb on openSUSE. Any reason why Beta...
-
opendmarc-import fauls because of repuri does not have a default value
-
Ooops, I wasn't aware that the public links are different. There must be a "/public"...
-
That's not an optimization, but a bug fix as well. Whenever literals are assigned...
-
Beta2 of 1.3.2 wont compile
-
Patch to fix this issue as used e.q. in openSUSE packages.
1
