Important: XSS Vulnerability - SubjectsPlus

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

SubjectsPlus

Home

Discussions

+ new post

About this group

Join this group

Message from discussion Important: XSS Vulnerability

Andrew Darby

View profile

More options Jun 15 2012, 3:16 pm

From: Andrew Darby <agda...@gmail.com>

Date: Fri, 15 Jun 2012 15:16:05 -0400

Local: Fri, Jun 15 2012 3:16 pm

Subject: Re: [SubjectsPlus] Important: XSS Vulnerability

Print | View thread | Show original | Report this message | Find messages by this author

When I say "gone through all the sites," I mean all the sites listed
on the Sites Using SubjectsPlus page on the wiki. If you're unsure or
concerned, drop me a line at agdarby AT gmail DOT com.

On Fri, Jun 15, 2012 at 3:14 PM, Andrew Darby <agda...@gmail.com> wrote:
> Oops, I didn't realize I was responding to the whole list. But since
> I am . . . I've gone through all the sites, and the only ones with
> this vulnerability appear to be showing up in that pastebin link.
> Wouldn't hurt to doublecheck your databases.php page, trying out those
> test xss attacks.

> On Fri, Jun 15, 2012 at 3:07 PM, Andrew Darby <agda...@gmail.com> wrote:
>> I'll take a look at your file, but I just checked your site and you
>> seem to be okay.

>> Andrew

>> On Fri, Jun 15, 2012 at 3:03 PM, Catherine C Tuohy <tuo...@emmanuel.edu> wrote:
>>> Hi Andrew, Diane is on vacation and I am wondering if you can take a look at our databases.php file I have attached and advise me. Thanks so much! Cathy
>>> Catherine C. Tuohy
>>> Assistant Director of Technology and Technical Services
>>> Emmanuel College Library
>>> 400 The Fenway
>>> Boston, MA 02115
>>> 617-264-7658
>>> ________________________________________
>>> From: subjectsplus@googlegroups.com [subjectsplus@googlegroups.com] On Behalf Of Andrew Darby [agda...@gmail.com]
>>> Sent: Friday, June 15, 2012 12:30 PM
>>> To: subjectsplus@googlegroups.com
>>> Subject: [SubjectsPlus] Important: XSS Vulnerability

>>> Hello, all. I came across the following pastbin entry today, which
>>> pointed out a public vulnerability in the databases list:

>>> http://pastebin.com/dER2NYKr

>>> I'm not sure what version of SP these sites are running, but you need
>>> to fix this asap. To fix, go to subjects/databases.php and look for a
>>> line that adds some additional information to the $page_title
>>> variable. If you have something that looks like this line, with the
>>> $_GET["letter"] variable being displayed without first being scrubbed
>>> for malicious intent, you have a potential problem:

>>> $page_title .= ": " . $_GET["letter"];

>>> I'm not sure exactly what it looks like on your site, but for now, try
>>> commenting this line out. You should be left with a generic "Database
>>> List" page title.

>>> If you want to see if this is an issue, cut and paste in your database
>>> list url and add at the end

>>> "><script>alert(1)</script>

>>> if it makes a box pop up, you have a problem. If you're not sure what
>>> to do, drop me a line off list.

>>> This should not be an issue in 1.0.1, but you might have downloaded
>>> the new version and kept your old subjects/databases.php file. I'll
>>> send instruction later about how to safely include your selected
>>> letter as part of the title.

>>> --
>>> You received this message because you are subscribed to the Google Groups "SubjectsPlus" group.
>>> To post to this group, send email to subjectsplus@googlegroups.com.
>>> To unsubscribe from this group, send email to subjectsplus+unsubscribe@googlegroups.com.
>>> For more options, visit this group at http://groups.google.com/group/subjectsplus?hl=en.

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options