Script in comments

[sanjay]

On one of my sites, some one by this name "L0j1k" left a comment and a script

alert('test')

that opens a popup with "test" when you open the page.

This person mentions the vulnerability here:

http://www.l0j1k.com/LoFiPages/mainPage.php

[Elijah Lofgren]

I got the same thing. Ted is working on releasing a new version of Comments to fix this. I had added the ability to disable HTML in Comments SVN. Looks like we'll need to turn that on or make sure that JS gets removed by default.

[Elijah Lofgren]

Attached is a fixed version of Comments. It will disable HTML in comments by default (and upgrades) which will remove the XSS vulnerability.

Ted should formally release Comments 1.8.0 soon.

Elijah

[gelöscht durch Administrator]

[L0j1k]

Hello. For the record, I notified Ted Kulp of this problem via email as soon as I had confirmed it. I have reported it to Bugtraq as of this afternoon, but only after having confirmed with Ted that a fix was made and awaiting publication (I made sure to miss the publication deadline for today seeing as how it's the holiday and I wanted to give as much time to the developers as possible to publish the fix).

To sanjay, I would like to apologize for putting the XSS on your site. Where I could, I tried to put it in a reply to a user comment so that it wouldn't appear on the main page, rather on the separate page for replies to user comments.

I have listed my full (albeit simple) report at:

http://www.L0j1k.com/securityCMSMadeSim ... 5Dec06.txt

Merry Christmas, everyone. And a happy New Year, and Kwanzaa or whatever.

[forgot]

Elijah Lofgren, you have to admit he is a funny guy after all. Looks inoffensive to me. He found you even here. LOL

[johannabartley]

The Nouveau Riche University forum is filled with these scripts. Ain't there anything we can do to get rid of them?