CMS Made Simple Forums

alby is righ. When the software gets html-tags from unknown sources, it has to have good "whitelist" and tag parser has to be 100% correct. Otherwise the system becomes vulnerable to cross site scripting bug. Much better practice is to translate non-html tags to html and ignore unknown tag...

Following configuration problems are existing in this installation: * Default page does not include index.php ** At Apache's https.conf I have: DirectoryIndex index.html index.htm index.shtml index.php * It does not deny the file listing under the directory c:/htdocs ** At Apache the Options -direct...

Good news. Now I have taken over the QATeam. I have began to formalize the work with small team which will be announced later. I have initial permission to use some of my co-workers from quality consulting company to formalize the testing efforts. It is project for us, so it will end at some point. ...

Another option is that there is some other web application firewall (WAF) between your browser and the server.  "from"-word is keyword at SQL so WAF might think that someone is trying SQL-injection.

Teme

I sent request to join to QATeam yesterday. Hopefully the admins of that group will read their mail every now and then.

The plan is to start to formalize the testing efforts. But we'll see... Ted knows more about the plans.

Teme

Even with the local site there is real danger, if the local site has interactive components like discussion forums with img-tag. That is not exploiting the post-forms, but it still can cause plenty of problems.

Teme

It looks like this group is not very active. I'd like to know who has the main responsibility of the QA activities at the moment.

Teme

Hi, I have discussed about this with develpers at IRC. I was most likely the one, who originally found the problem.Obfuscating is really bad way to secure the system, but at the moment only way to do it. The real fix is much more complex. All links which are able modify any data should be secured wi...