[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2

From: Mikael Nordfeldth
Subject: [Social-discuss] GNU social XSS vulnerability, version bumped to v1.1.2
Date: Sat, 25 Oct 2014 15:19:07 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.1.2

Hi all, I'm the maintainer of GNU social. Feel free to download my
attached public OpenPGP key if you think it might be of use in the future.

I wish to announce that a GNU social XSS vulnerability was discovered in
the Bookmark plugin, which is enabled by default. I have not asked
whether I can name the person who found the issue, but will give proper
attribution if this person would like that.

Affects: GNU social master repository up until commit #048af5a.
Also affects: StatusNet, all versions (since Bookmark plugin).

Reason: There was no proper check on the input value of the Bookmark
URL, making it possible to enter a value such as
'javascript:alert("Resistance is futile!")'.

Severity: Reasonably, this would require a user to click the link rather
than have anything automatically execute. Should this be a bad
assumption from my side, please voice it on this list and to whomever
may need that info.

Fix: I patched this in commit 39b5e08 visible at
and can easily be applied by hand to StatusNet code.

The resulting source update bumped the version number to 1.1.2-alpha1,
since I figure that might get people to update quicker.

Standard update procedure applies, though no database changes have been
applied lately:
# Stop daemons if you're running them.
# git pull
# php scripts/upgrade.php
# Start daemons.
# Live long and prosper.

Mikael Nordfeldth
XMPP/mail: address@hidden

Attachment: 0xB52E9B31.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]