Re: tclhttpd xss security voulnability
Available news archives: comp.lang.tcl - comp.lang.python - comp.security.firewalls - sci.crypt - comp.lang.php - comp.lang.javascript
Google
 
Web news.hping.org


comp.lang.tcl archive

Re: tclhttpd xss security voulnability

From: Michael Schlenker <schlenk@uni-oldenburg.de>
Date: Tue Feb 28 2006 - 12:52:50 CET



yahalome@gmail.com wrote:


> does anybody made a fix for the cross side scripting (xss) security


> voulnability in tclhttpd?


> http://www.derkeiler.com/Mailing-Lists/Securiteam/2003-10/0002.html


> I do not see anything mentioned on sourceforge.


> 


In the cvs version the debug and other admin urls which were the main


targets of the xss are only available with authentication, which should


reduce the impact of the xss, the author would need to klick on a foul


link, enter his credentials and get hit by the problem.



Fixing it thouroghly would involve some more quoting and filtering on


output, not that hard to do with the help of html::html_entities and


other procs from tcllib.



Michael


Received on Sun Apr 30 02:17:37 2006