urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

document XSS

master
Joey Hess 2011-01-22 10:23:09 -04:00
parent b5d7469830
commit afeb8db569
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/security.mdwn
View File

@ -453,3 +453,12 @@ preview or moderation of comments with such a configuration.
These problems were discovered on 12 November 2010 and fixed the same
hour with the release of ikiwiki 3.20101112. ([[!cve CVE-2010-1673]])
## javascript insertation via insufficient checking in comments
Dave B noticed that attempting to comment on an illegal page name could be
used for an XSS attack.
This hole was discovered on 22 Jan 2011 and fixed the same day with
the release of ikiwiki 3.20110122. An upgrade is recommended for sites
with the comments plugin enabled.