| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.55.0305121608180.21512@afybt.areqp.hsy.rqh>
Date: Mon, 12 May 2003 16:25:36 -0400 (EDT)
From: Jordan Wiens <jwiens@...sp.nerdc.ufl.edu>
To: DarkHunter <darkhunter7@...kermail.com>
Subject: Re: CSS found in Movable Type
After taking a bit closer look at it, it appears that this is likely
result of the option:
"Allow HTML in comments?"
(Select Weblog Config / Preferences, scroll towards the bottom)
The default is for that option to be disabled.
Additionally, perusing the mt.cfg file yields the following:
# By default, Movable Type cleans up ("sanitizes") any data submitted by
# visitors to your site. This is done to remove any code (HTML or otherwise)
# that could compromise the security of your site. The sanitization code works
# by only allowing certain HTML tags--any other tags, and all processing
# instructions (PHP, for example) are stripped. The GlobalSanitizeSpec
# setting, then, specifies the tags and attributes that are allowed. The
# default setting is "a href,b,br/,p,strong,em,ul,li,blockquote".
#
# GlobalSanitizeSpec br/,p
It seems that only by changing those two options could an installation be
vulnerable to javascript cross-site scripting, though I could be wrong.
--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061
On Mon, 12 May 2003, Jordan Wiens wrote:
> I just tried it on an installed 2.63 MT and was unable to get the XSS to
> work. Tried the javascript samples in Name, email, homepage, and comment
> field, all with no success. MT properly elminated < > tags and left the
> < as <, not allowing any execution.
>
>
Powered by blists - more mailing lists