thanks for pointing to the 0.11.pl1 release, rob.
yesterday i was preparing the release the whole day but
didn't report
it here still. please, spread the word about the
security-release.
for i2: i think that the cross-site-scripting is because of
the bad
sanitize functions in rails. so expect more applications to
be
vulnerable. i2 is not really instiki-codebase, since it is
only
intended to work on the main rails wiki site.
guys, please submit patches for the 0.12 version, since i
want to get
this thing forward.
greetings,
parasew
On 2/28/07, Rob Sanheim <rsanheim gmail.com> wrote:
> There is an XSS vulnerability in instiki .11, if you
aren't running
> the very latest release. I'm not sure why there hasn't
been an
> announcement to this list about the issue, as if you
*aren't* running
> .11p1 then you are vulnerable. Note that .11p1 was
released today,
> Feb. 27.
>
> If you go to instiki.org you can see a javascript
popup, which
> illustrates the flaw nicely and points you to a
description of the
> flaw:
>
> http://golem.ph.utexas.edu/~distler/blog/archives/0
01181.html
>
> Does anyone know if this also effects i2? Here is a
link to p1 if
> you want to update your instiki installation:
>
> http://rubyforge.org/frs/shownotes.php?release_id=10014
>
>
> - Rob
> _______________________________________________
> Instiki-users mailing list
> Instiki-usersrubyforge.org
> h
ttp://rubyforge.org/mailman/listinfo/instiki-users
>
_______________________________________________
Instiki-users mailing list
Instiki-usersrubyforge.org
h
ttp://rubyforge.org/mailman/listinfo/instiki-users
|