[pmwiki-users] Security Update for Fox and FoxForum

Hans design5 at softflow.co.uk
Sat Dec 1 09:46:31 CST 2007


Saturday, December 1, 2007, 2:09:04 PM, Hans wrote:

> I added the filter htmlspecialchars.
> Wthout this I could inject javascript code on my local machine with a
> post. This did not happen on my hosting server, so I do not know the
> extent of the danger for javascript injection attacks.

Maybe someone who knows about this better can advise me:

For testing the javascript injection vulnerability I posted

   <script>alert('xss');</script>

On my local machine this produced an alert window to pop up.
Now I see that this only happened because I was using a Debug mode,
which uses 'echo' statements to show me various variable values.
Without any 'echo' I don't get an alert box in this test.

Now I do not know if this makes the vulnerability any less severe, or
even if it does not exist in this case. Please advise me if you know!


  ~Hans




More information about the pmwiki-users mailing list