You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@roller.apache.org by ti...@bt.com on 2008/09/11 14:04:00 UTC
XSS vulnerability in Roller 2.3.x ?
Hi
I'm still running a site running Roller 2.3.1
My customer seems to have found an issue whereby the search form on the
blog page seems vulnerable to XSS attack :-(
Just a few questions -
1 - Is this a known issue ?
2 - Can I do anything about it ? I wrote a Tomcat Valve to strip out
characters for another webapp but would this mess up Roller
functionality ?
3 - Would migration to v3 or v4 fix the exploitation ?
thanks
Tim
Re: XSS vulnerability in Roller 2.3.x ?
Posted by Dave <sn...@gmail.com>.
On Thu, Sep 11, 2008 at 8:04 AM, <ti...@bt.com> wrote:
> I'm still running a site running Roller 2.3.1
> My customer seems to have found an issue whereby the search form on the
> blog page seems vulnerable to XSS attack :-(
>
> Just a few questions -
> 1 - Is this a known issue ?
> 2 - Can I do anything about it ? I wrote a Tomcat Valve to strip out
> characters for another webapp but would this mess up Roller
> functionality ?
> 3 - Would migration to v3 or v4 fix the exploitation ?
We have fixed some XSS vulnerabilities since 2.3.1, but I would need
to know some specifics.
I will email you off-list for more info.
- Dave