Item11087: SlideShowPlugin must urlencode both the name and value of query parameters

Priority: Urgent
Current State: Closed
Released In: 1.1.4
Target Release: patch
Applies To: Extension
Component: SlideShowPlugin
Branches:
Reported By: KennethLavrsen
Waiting For: Main.KennethLavrsen
Last Change By: GeorgeClark
SlideShowPlugin must urlencode both the name and value of query parameters

Only the value was encoded which meant that the name could be things other than the name of a parameter. Thing we do not want.

-- KennethLavrsen - 28 Aug 2011

The patched plugin has been released in Extensions web.

-- KennethLavrsen - 28 Aug 2011

This issue was triaged as a Severity 3 issue per SecurityAlertProcess

As it is a pure simple XSS thing and contained within a plugin we decided to release the plugin itself and annouce this in the foswiki-announce mailing list. We also decided not to hurry out 1.1.4 as we have a few important bug fixes we want to include in 1.1.4.

The download page for 1.1.3 has a note about updating the SlideShowPlugin. Also the KnownIssuesOfFoswiki01x01 and SecurityAlerts pages are updated.

Per policy only level 1 and 2 alerts require a CVE. We have used CVE for XSS and CSRF vectors when the issue was severe. But here it related to one slide show page so it is not needed to use the big canon.

-- KennethLavrsen - 28 Aug 2011
 

ItemTemplate edit

Summary SlideShowPlugin must urlencode both the name and value of query parameters
ReportedBy KennethLavrsen
Codebase 1.1.3, trunk
SVN Range
AppliesTo Extension
Component SlideShowPlugin
Priority Urgent
CurrentState Closed
WaitingFor KennethLavrsen
Checkins distro:a5c69d66819c distro:81c92cb85a9c
TargetRelease patch
ReleasedIn 1.1.4
Topic revision: r4 - 17 Dec 2011, GeorgeClark
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License