Subject:*
Name/Email:*
Message Icon:*
Message:*
url email imgsrc image php hide code quote
English Nederlands 
SAMPLE
alignleft aligncenter alignright bold italic underline linethrough   


 [more...]
Options:*
 

 

 
   
Re: The XSS Security Issue - How much of a risk is it in real terms?

by skenow on 2010/12/23 7:51:59

Quote:


Madfish wrote:
Should the download block be updated to version 1.2.4 or you got to install 1.2.3 and patch it?

Also, the system => version checker is still reporting 1.2.3 as the latest version. How does that work, by the way?



All the download blocks have been updated - thanks!

There is an xml file on the www site with the latest info in it - hadn't updated that, yet, but you should be good, now.
Re: The XSS Security Issue - How much of a risk is it in real terms?

by Vaughan on 2010/12/23 3:57:06

did you update the system module?
Re: The XSS Security Issue - How much of a risk is it in real terms?

by Madfish on 2010/12/23 3:52:26

Should the download block be updated to version 1.2.4 or you got to install 1.2.3 and patch it?

Also, the system => version checker is still reporting 1.2.3 as the latest version. How does that work, by the way?
Re: The XSS Security Issue - How much of a risk is it in real terms?

by Vaughan on 2010/12/23 3:46:22

Quote:


However, I'm still unclear as to how this exploit can be achieved? I gather admin user access is needed to do the attack. If anyone other than the site admin has gained admin rights, is it not fair to say your site is already hacked and they can do pretty much what they want? If so, why would they want to do this XSS attack? Or have I mis-understood?



i agree with that sentiment, requiring admin access is a hurdle to obtain the exploit, you shouldn't let that detract from the fact that it's possible. on the other hand though, if someone has gained admin access, you are correct, they can do a lot more damage than messing with XSS. nothing can be 100% secure when it's on a network, no matter what you do, someone will always find a way through.

We as developers just have to make that job all the more difficult to achieve, and if we can do that through strict coding practices & improving methods of detection & prevention, then we can at least try to stay ahead or at least keep up with the game, so to speak.

Quote:


What I getting at is how necessary is the upgrade in real terms? I know the official guidance is to upgrade straight away, but how much of a risk is this in real terms? Can my site, sat out on the Internet with no users logged in, realistically be attacked using this technique if :

a) Protector module installed
b) A good long admin password is in use
c) https used on all pages by default
etc etc?

(I only ask because something went wrong with my site last time, and a test on a beta site the other week from 1.2.2 to 1.2.3 reported a problem at the database update stage )
Ted



realistically, not likely, they need admin, and protector module would prevent that, in my opinion though, we should always strive to have the core doing the protection! protector is & always should be a secondary preventative measure when the core isn't doing it's job properly, and it shouldn't be relied on to cover up unsecure coding methods in the core.


on a 3rd note, this release also fixes an exploit in the image manager which CAN be exploited by anonymous users, opening up your site & potentially the server to malicious exploitation. that exploit was discovered internally by 1 of the Project members, and as such the exact exploit isn't in the public domain.
therefore i would strongly suggest updating asap.

there are no DB changes in this release, all you need to do is update the system module once you have copied over the files as far as i'm aware. the only DB change i think is to change the version number.
Re: The XSS Security Issue - How much of a risk is it in real terms?

by skenow on 2010/12/22 17:31:15

Quote:


tedsmith wrote:
IPF quicksearch feature

What's that? I have the default search block on my site. Is that what you mean?

Or do you mean the 'Quick Search' facility found in the Content module homepage? I assume it is this search field that can be exploited, which requires site admin access anyway.

I don't use the content module at all.



You will see the quick search in:
* Adsense administration
* Autotasks administration
* Blocks administration
* Block positions administration
* Custom tags administration
* Mimetypes administration
* Symlinks adminstration
* User ranks administration