I am using a old SVN version dated 11/2007 [VERSION = (0, 97, 'pre')].
I guess that does not matter any more.
Thanks for all these replys, which do make me feel better now. I am
not knowledgable enough for web security, so I am indeed thrilled when
our security guy tell me there is a "XSS" threat
Yes, I see where you are going, but to be precise, and I think we
should so that people do not start saying 'Django is susceptible to
XSS!' it is the other site that would most likely be vulnerable to
XSS. You would have to go to that site and click a link imbedded
somewhere, and then for no app
On Wed, May 7, 2008 at 3:18 PM, Richard Dahl <[EMAIL PROTECTED]> wrote:
> If I said that this condition is indicative of an XSS attack vector I
> may as well say that Apache is vulnerable to a Denial of Service
> attack because 'after I ran apachectl stop, I could no longer get to
> my website
Remember though, that the script came from the user in question,
entered into the address bar, the 'next' parameter (to my knowledge)
does not persist and cannot be sent to another user. Therefore, if
you want to go ahead and make sure the 'next' variable is escaped,
great, but it is not really i
Also, for future reference, please remember that if you think you've
found a security problem in Django the correct action is to send email
to [EMAIL PROTECTED]
--
"Bureaucrat Conrad, you are technically correct -- the best kind of correct."
--~--~-~--~~~---~--~
On Wed, May 7, 2008 at 2:51 PM, Richard Dahl <[EMAIL PROTECTED]> wrote:
> Excellent, good catch, when logged out it does indeed display the
> alert, I image it has to do with the 'next' property, which is not, I
> believe, escaped, as it is not entered into the DB or presented to any
> other u
Excellent, good catch, when logged out it does indeed display the
alert, I image it has to do with the 'next' property, which is not, I
believe, escaped, as it is not entered into the DB or presented to any
other user. So again, it begets the question: How is the XSS attack
possible?
WARNING! cyn
It does work, make sure you're not logged in.
$ lynx -source -dump
http://localhost:8000/admin/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/
| grep alert
alert(3939)/" method="post"
id="login-form">
On May 7, 9:10 pm, "James Bennett" <[EMAIL PROTECTED]> wrote:
> On Wed, May 7, 2008 at 1:45 P
I'm using 7510. Script is executed for me.
You need to be logged out, then it displays a log in window, with an
alert box.
On May 7, 12:10 pm, "James Bennett" <[EMAIL PROTECTED]> wrote:
> On Wed, May 7, 2008 at 1:45 PM, mw <[EMAIL PROTECTED]> wrote:
> > It worked for me and I have one of the fai
I don't understand how this becomes an XSS vulnerability, XSS attacks
work by having malicious scripts executed by another user. Key word
being 'another'. If this works (it gives me a 404) this is an example
where you can XSS attack yourself, but there is no reasonable what to
necessarily preven
On Wed, May 7, 2008 at 1:45 PM, mw <[EMAIL PROTECTED]> wrote:
> It worked for me and I have one of the fairly recent copies from SVN.
> (not like today up to date, but pretty up to date)
Visiting the precise URL he pasted, in current Django trunk (SVN
revision 7514), I get a 404.
And I can't s
It worked for me and I have one of the fairly recent copies from SVN.
(not like today up to date, but pretty up to date)
On May 7, 12:34 pm, "James Bennett" <[EMAIL PROTECTED]> wrote:
> On Wed, May 7, 2008 at 12:31 PM, Chunlei Wu <[EMAIL PROTECTED]> wrote:
> > /admin/index.php/%22%3E%3Cscript%
On Wed, May 7, 2008 at 12:31 PM, Chunlei Wu <[EMAIL PROTECTED]> wrote:
> /admin/index.php/%22%3E%3Cscript%3Ealert%283939%29%3C/script%3E/
>
> I am surprised the passed javascript code is indeed executed. Can
> somebody verify that? Is it a big threat?
Which version of Django is this happening
13 matches
Mail list logo
