Welcome to Squishdot Squishdot How-To Newbies Websites
 about
 search
 post article
 Documentation
 Mailing Lists
 Bug Tracking
 Development
 Installation
 Upgrading
 Download
 admin
 rdf

 main


Malicious HTML in postings...
Squishdot Posted by Darren on Friday February 04, 03:26PM, 2000
from the security-can-be-so-annoying dept.

CERT has issued a security advisory regarding improperly checked output from dynamic pages. For example, I could add malicious HTML code to this posting, and everyone who reads the posting would be affected by the code. Does Squishdot limit the HTML that can be added to the postings? There is the Allowed HTML at the bottom of this page, is there a sanity check on postings? Of course, the other way to deal with the problem is to turn moderation on for everything, and then properly check each posting manually.

The CERT advisory can be found at http://www.cert.org/advisories/CA-2000-02.html.

<  |  >

 

Related Links
  • Articles on Squishdot
  • Also by Darren
  • Contact author
  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Re: Malicious HTML in postings...
    by Butch Landingin on Saturday February 05, 01:11AM, 2000
    We (i.e. people in the Zope Community) are aware of this problem and are working on it and unfortunately -- yes, Squishdot has this vulnerability...

    I'll be turning on the comment moderation in the meantime until I can post a patch to fix this...

    I would also urge anyone running Squishdot sites (especially on publicly-accessible internet sites) to turn on the moderation options so that they can review their postings for malicious HTML tags until this is patched...

    -- Butch
    [ Reply to this ]
    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Powered by Zope  Squishdot Powered
      "Any system that depends on reliability is unreliable." -- Nogg's Postulate
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©1999 Butch Landingin, ©2000-2002 Chris Withers.