The XSS Security Issue - How much of a risk is it in real terms? |
Subject: The XSS Security Issue - How much of a risk is it in real terms? by tedsmith on 2010/12/22 7:00:45 The security issue identified with version prior to 1.2.4 I have Googled and read about on several sites (http://seclists.org/bugtraq/2010/Dec/213 , http://www.htbridge.ch/advisory/xss_vulnerability_in_impresscms.html). However, I'm still unclear as to how this exploit can be achieved? I gather admin user access is needed to do the attack. If anyone other than the site admin has gained admin rights, is it not fair to say your site is already hacked and they can do pretty much what they want? If so, why would they want to do this XSS attack? Or have I mis-understood? What I getting at is how necessary is the upgrade in real terms? I know the official guidance is to upgrade straight away, but how much of a risk is this in real terms? Can my site, sat out on the Internet with no users logged in, realistically be attacked using this technique if : a) Protector module installed b) A good long admin password is in use c) https used on all pages by default etc etc? (I only ask because something went wrong with my site last time, and a test on a beta site the other week from 1.2.2 to 1.2.3 reported a problem at the database update stage ) Ted |