Re: The XSS Security Issue - How much of a risk is it in real terms? |
by skenow on 2010/12/23 7:51:59 Quote:
All the download blocks have been updated - thanks! There is an xml file on the www site with the latest info in it - hadn't updated that, yet, but you should be good, now. |
Re: The XSS Security Issue - How much of a risk is it in real terms? |
by Vaughan on 2010/12/23 3:57:06 did you update the system module? |
Re: The XSS Security Issue - How much of a risk is it in real terms? |
by Madfish on 2010/12/23 3:52:26 Should the download block be updated to version 1.2.4 or you got to install 1.2.3 and patch it? Also, the system => version checker is still reporting 1.2.3 as the latest version. How does that work, by the way? |
Re: The XSS Security Issue - How much of a risk is it in real terms? |
by Vaughan on 2010/12/23 3:46:22 Quote:
i agree with that sentiment, requiring admin access is a hurdle to obtain the exploit, you shouldn't let that detract from the fact that it's possible. on the other hand though, if someone has gained admin access, you are correct, they can do a lot more damage than messing with XSS. nothing can be 100% secure when it's on a network, no matter what you do, someone will always find a way through. We as developers just have to make that job all the more difficult to achieve, and if we can do that through strict coding practices & improving methods of detection & prevention, then we can at least try to stay ahead or at least keep up with the game, so to speak. Quote:
realistically, not likely, they need admin, and protector module would prevent that, in my opinion though, we should always strive to have the core doing the protection! protector is & always should be a secondary preventative measure when the core isn't doing it's job properly, and it shouldn't be relied on to cover up unsecure coding methods in the core. on a 3rd note, this release also fixes an exploit in the image manager which CAN be exploited by anonymous users, opening up your site & potentially the server to malicious exploitation. that exploit was discovered internally by 1 of the Project members, and as such the exact exploit isn't in the public domain. therefore i would strongly suggest updating asap. there are no DB changes in this release, all you need to do is update the system module once you have copied over the files as far as i'm aware. the only DB change i think is to change the version number. |
Re: The XSS Security Issue - How much of a risk is it in real terms? |
by skenow on 2010/12/22 17:31:15 Quote:
You will see the quick search in: * Adsense administration * Autotasks administration * Blocks administration * Block positions administration * Custom tags administration * Mimetypes administration * Symlinks adminstration * User ranks administration |