[geeklog-cvs] geeklog-1.3/docs changes.html,1.18.2.4,1.18.2.5 history,1.120.2.4,1.120.2.5
dhaun at geeklog.net
dhaun at geeklog.net
Sat Jan 24 11:34:27 EST 2004
Update of /usr/cvs/geeklog/geeklog-1.3/docs
In directory geeklog_prod:/tmp/cvs-serv12155/docs
Modified Files:
Tag: geeklog_1_3_8_1_1
changes.html history
Log Message:
Updated documentation
Index: changes.html
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/changes.html,v
retrieving revision 1.18.2.4
retrieving revision 1.18.2.5
diff -C2 -d -r1.18.2.4 -r1.18.2.5
*** changes.html 18 Jan 2004 21:45:09 -0000 1.18.2.4
--- changes.html 24 Jan 2004 16:34:24 -0000 1.18.2.5
***************
*** 38,41 ****
--- 38,50 ----
<li>It was possible to browse through the comments of a story even if the user
did not have access to the actual story (reported by Peter Roozemaal).</li>
+ <li>Due to an XSS issue, it was possible to change someone's account settings
+ (including the password) if you got them to click on a specially crafted
+ link (reported by Jelmer, fix suggested by Vincent Furia).</li>
+ <li>The comment display suffered from the possibility of an SQL injection
+ (reported by Jelmer).</li>
+ <li>It was possible to inject Javascript code in the calendar (reported by
+ Jelmer).</li>
+ <li>It was possible to execute (but not save) Javascript code in the comment
+ preview (reported by Jelmer).</li>
</ol>
Index: history
===================================================================
RCS file: /usr/cvs/geeklog/geeklog-1.3/docs/history,v
retrieving revision 1.120.2.4
retrieving revision 1.120.2.5
diff -C2 -d -r1.120.2.4 -r1.120.2.5
*** history 18 Jan 2004 21:45:09 -0000 1.120.2.4
--- history 24 Jan 2004 16:34:24 -0000 1.120.2.5
***************
*** 1,8 ****
GeekLog History/Changes:
! January 21, 2004 (1.3.8-1sr4)
----------------
! This release addresses the following security-related issues:
1. It was possible for users in the Group Admin and User Admin groups to
--- 1,8 ----
GeekLog History/Changes:
! January 26, 2004 (1.3.8-1sr4)
----------------
! This release addresses the following security issues:
1. It was possible for users in the Group Admin and User Admin groups to
***************
*** 16,19 ****
--- 16,28 ----
4. It was possible to browse through the comments of a story even if the user
did not have access to the actual story (reported by Peter Roozemaal).
+ 5. Due to an XSS issue, it was possible to change someone's account settings
+ (including the password) if you got them to click on a specially crafted
+ link (reported by Jelmer, fix suggested by Vincent Furia).
+ 6. The comment display suffered from the possibility of an SQL injection
+ (reported by Jelmer).
+ 7. It was possible to inject Javascript code in the calendar (reported by
+ Jelmer).
+ 8. It was possible to execute (but not save) Javascript code in the comment
+ preview (reported by Jelmer).
More information about the geeklog-cvs
mailing list