Greenguy's Board - View Single Post

cd34 · 2010-12-29, 05:48 PM

I haven't pulled down 3.0.3 and 3.0.4 yet to see what they changed. I've never understood why anyone tries to clean up data... if it doesn't match your validation, it should be declined.

I suspect the error might be in the commenting or post section as that is the only place that library seems to be called - so, if your blog doesn't have comments, it may not be vulnerable. However, it could be in the user's bio field, and an admin that views a users profile could leak the admin cookie. I'll take a look later, just seemed prudent to let people know earlier rather than later.

2010-12-29, 05:48 PM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	I haven't pulled down 3.0.3 and 3.0.4 yet to see what they changed. I've never understood why anyone tries to clean up data... if it doesn't match your validation, it should be declined. I suspect the error might be in the commenting or post section as that is the only place that library seems to be called - so, if your blog doesn't have comments, it may not be vulnerable. However, it could be in the user's bio field, and an admin that views a users profile could leak the admin cookie. I'll take a look later, just seemed prudent to let people know earlier rather than later. __________________ SnapReplay.com a different way to share photos - iPhone & Android