Foswiki on GitHub is open for business! Next release meeting: Monday September 29, 1300Z

Item11087: SlideShowPlugin must urlencode both the name and value of query parameters

Priority: CurrentState: AppliesTo: Component: WaitingFor:
Urgent Closed Extension SlideShowPlugin Main.KennethLavrsen
SlideShowPlugin must urlencode both the name and value of query parameters

Only the value was encoded which meant that the name could be things other than the name of a parameter. Thing we do not want.

-- KennethLavrsen - 28 Aug 2011

The patched plugin has been released in Extensions web.

-- KennethLavrsen - 28 Aug 2011

This issue was triaged as a Severity 3 issue per SecurityAlertProcess

As it is a pure simple XSS thing and contained within a plugin we decided to release the plugin itself and annouce this in the foswiki-announce mailing list. We also decided not to hurry out 1.1.4 as we have a few important bug fixes we want to include in 1.1.4.

The download page for 1.1.3 has a note about updating the SlideShowPlugin. Also the KnownIssuesOfFoswiki01x01 and SecurityAlerts pages are updated.

Per policy only level 1 and 2 alerts require a CVE. We have used CVE for XSS and CSRF vectors when the issue was severe. But here it related to one slide show page so it is not needed to use the big canon.

-- KennethLavrsen - 28 Aug 2011
 

ItemTemplate edit

Summary SlideShowPlugin must urlencode both the name and value of query parameters
ReportedBy KennethLavrsen
Codebase 1.1.3, trunk
SVN Range
AppliesTo Extension
Component SlideShowPlugin
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins Foswikirev:12410 Foswikirev:12411
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r4 - 17 Dec 2011, GeorgeClark
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License