thanks for pointing to the 0.11.pl1 release, rob.
yesterday i was preparing the release the whole day but didn''t report
it here still. please, spread the word about the security-release.
for i2: i think that the cross-site-scripting is because of the bad
sanitize functions in rails. so expect more applications to be
vulnerable. i2 is not really instiki-codebase, since it is only
intended to work on the main rails wiki site.
guys, please submit patches for the 0.12 version, since i want to get
this thing forward.
greetings,
parasew
On 2/28/07, Rob Sanheim <rsanheim at gmail.com>
wrote:> There is an XSS vulnerability in instiki .11, if you aren''t
running
> the very latest release. I''m not sure why there hasn''t
been an
> announcement to this list about the issue, as if you *aren''t*
running
> .11p1 then you are vulnerable. Note that .11p1 was released today,
> Feb. 27.
>
> If you go to instiki.org you can see a javascript popup, which
> illustrates the flaw nicely and points you to a description of the
> flaw:
>
> http://golem.ph.utexas.edu/~distler/blog/archives/001181.html
>
> Does anyone know if this also effects i2? Here is a link to p1 if
> you want to update your instiki installation:
>
> http://rubyforge.org/frs/shownotes.php?release_id=10014
>
>
> - Rob
> _______________________________________________
> Instiki-users mailing list
> Instiki-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/instiki-users
>