CMS Made Simple Forums

On one of my sites, some one by this name "L0j1k" left a comment and a script

alert('test')

that opens a popup with "test" when you open the page.

This person mentions the vulnerability here:

http://www.l0j1k.com/LoFiPages/mainPage.php

I got the same thing. Ted is working on releasing a new version of Comments to fix this. I had added the ability to disable HTML in Comments SVN. Looks like we'll need to turn that on or make sure that JS gets removed by default.

Attached is a fixed version of Comments. It will disable HTML in comments by default (and upgrades) which will remove the XSS vulnerability.

Ted should formally release Comments 1.8.0 soon.

Elijah

[gelöscht durch Administrator]

Hello. For the record, I notified Ted Kulp of this problem via email as soon as I had confirmed it. I have reported it to Bugtraq as of this afternoon, but only after having confirmed with Ted that a fix was made and awaiting publication (I made sure to miss the publication deadline for today seeing as how it's the holiday and I wanted to give as much time to the developers as possible to publish the fix).

To sanjay, I would like to apologize for putting the XSS on your site. Where I could, I tried to put it in a reply to a user comment so that it wouldn't appear on the main page, rather on the separate page for replies to user comments.

I have listed my full (albeit simple) report at:

http://www.L0j1k.com/securityCMSMadeSim ... 5Dec06.txt

Merry Christmas, everyone. And a happy New Year, and Kwanzaa or whatever.

Elijah Lofgren, you have to admit he is a funny guy after all. Looks inoffensive to me. He found you even here. LOL

The Nouveau Riche University forum is filled with these scripts. Ain't there anything we can do to get rid of them?