Item11087: SlideShowPlugin must urlencode both the name and value of query parameters
Priority: Urgent
Current State: Closed
Released In: 1.1.4
Target Release: patch
SlideShowPlugin must urlencode both the name and value of query parameters
Only the value was encoded which meant that the name could be things other than the name of a parameter. Thing we do not want.
--
KennethLavrsen - 28 Aug 2011
The patched plugin has been released in Extensions web.
--
KennethLavrsen - 28 Aug 2011
This issue was triaged as a Severity 3 issue per
SecurityAlertProcess
As it is a pure simple XSS thing and contained within a plugin we decided to release the plugin itself and annouce this in the foswiki-announce mailing list. We also decided not to hurry out 1.1.4 as we have a few important bug fixes we want to include in 1.1.4.
The download page for 1.1.3 has a note about updating the
SlideShowPlugin. Also the
KnownIssuesOfFoswiki01x01 and
SecurityAlerts pages are updated.
Per policy only level 1 and 2 alerts require a CVE. We have used CVE for XSS and CSRF vectors when the issue was severe. But here it related to one slide show page so it is not needed to use the big canon.
--
KennethLavrsen - 28 Aug 2011