[geeklog-cvs] geeklog-1.3/docs changes.html,1.18.2.4,1.18.2.5 history,1.120.2.4,1.120.2.5

dhaun at geeklog.net dhaun at geeklog.net
Sat Jan 24 11:34:27 EST 2004 

Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv12155/docs

Modified Files:
      Tag: geeklog_1_3_8_1_1
	changes.html history 
Log Message:
Updated documentation


Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18.2.4
retrieving revision 1.18.2.5
diff -C2 -d -r1.18.2.4 -r1.18.2.5
*** changes.html	18 Jan 2004 21:45:09 -0000	1.18.2.4
--- changes.html	24 Jan 2004 16:34:24 -0000	1.18.2.5
***************
*** 38,41 ****
--- 38,50 ----
  <li>It was possible to browse through the comments of a story even if the user
      did not have access to the actual story (reported by Peter Roozemaal).</li>
+ <li>Due to an XSS issue, it was possible to change someone's account settings
+     (including the password) if you got them to click on a specially crafted
+     link (reported by Jelmer, fix suggested by Vincent Furia).</li>
+ <li>The comment display suffered from the possibility of an SQL injection
+     (reported by Jelmer).</li>
+ <li>It was possible to inject Javascript code in the calendar (reported by
+     Jelmer).</li>
+ <li>It was possible to execute (but not save) Javascript code in the comment
+     preview (reported by Jelmer).</li>
  </ol>
  

Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120.2.4
retrieving revision 1.120.2.5
diff -C2 -d -r1.120.2.4 -r1.120.2.5
*** history	18 Jan 2004 21:45:09 -0000	1.120.2.4
--- history	24 Jan 2004 16:34:24 -0000	1.120.2.5
***************
*** 1,8 ****
  GeekLog History/Changes:
  
! January 21, 2004 (1.3.8-1sr4)
  ----------------
  
! This release addresses the following security-related issues:
  
  1. It was possible for users in the Group Admin and User Admin groups to
--- 1,8 ----
  GeekLog History/Changes:
  
! January 26, 2004 (1.3.8-1sr4)
  ----------------
  
! This release addresses the following security issues:
  
  1. It was possible for users in the Group Admin and User Admin groups to
***************
*** 16,19 ****
--- 16,28 ----
  4. It was possible to browse through the comments of a story even if the user
     did not have access to the actual story (reported by Peter Roozemaal).
+ 5. Due to an XSS issue, it was possible to change someone's account settings
+    (including the password) if you got them to click on a specially crafted
+    link (reported by Jelmer, fix suggested by Vincent Furia).
+ 6. The comment display suffered from the possibility of an SQL injection
+    (reported by Jelmer).
+ 7. It was possible to inject Javascript code in the calendar (reported by
+    Jelmer).
+ 8. It was possible to execute (but not save) Javascript code in the comment
+    preview (reported by Jelmer).

More information about the geeklog-cvs mailing list