Security alert for StatusNet 1.0.0alpha4

Evan Prodromou's picture
Submitted by Evan Prodromou on Mon, 05/23/2011 - 12:03

There is a cross-site scripting vulnerability in the development (1.0.x) branch of StatusNet, including the alpha4 release previously available for download from the StatusNet site.

The vulnerability is due to insufficient sanitization of user input of the description field in the question-and-answer (QnA) plugin. Attackers could post hostile Javascript or other HTML code into the application that would be seen, and executed, by other users on the network. Versions of the 1.0.x branch below alpha5 are affected.

A patch has been created and is available in the testing and 1.0.x branches of StatusNet. A new version of the software, 1.0.0alpha5, is available for download from the StatusNet site. The StatusNet OnDemand service has been updated.

Administrators testing the new 1.0.0 alpha versions should immediately upgrade to 1.0.0alpha5.

Thanks to Steve Milner for identifying this security issue and alerting the team to the problem.

 

Trackback URL for this post:

http://status.net/trackback/5895

Comments

Post new comment

Please note that blog comments are not monitored by our support staff. If you need assistance please visit our forums at forum.status.net or see the Support page for other options.
The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
9 + 11 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.