[pmwiki-devel] PITS/01030
Petko Yotov
5ko at free.fr
Thu Jun 26 03:44:54 CDT 2008
On Thursday 26 June 2008 10:24:07 Petko Yotov wrote:
> My authform seems to convert < and > to %3E and %3C, so the <script> tag is
> not displayed nor run.
Ok, I had tested this with Forefox and Wget, it gets urlencoded to %3E
and %3C. As I didn't expect Wget to modify the output, I assumed it shows
what it gets. Now I tested the link with Konqueror and the javascript alert
did appear.
Which leaves open the other questions of mine.
> But, if you can trick someone to click on your bogus link leading to my
> site, you can also trick him to click on such a link:
> ...href="javascript:alert('XSS');self.print();"...
>
> which keeps me wondering why would an attacker use my site and what exactly
> can he get from this.
This will certainly be fixed, even if it may be not that serious.
About your question about the process of getting a bug fixed, if it is a real
security vulnerability, Patrick (Pm) may be contacted privately, as he can
quickly provide a bugfix.
Thanks,
Petko
More information about the pmwiki-devel
mailing list