Security alert for all versions of StatusNet

Evan Prodromou's picture
Submitted by Evan Prodromou on Tue, 08/02/2011 - 15:38

Yvan Boily of the Mozilla Security team alerted us to a cross-site scripting (XSS) attack on versions of StatusNet from 0.8.x up. We have released new versions of the stable code (0.9.x branch) and upcoming 1.0 release (1.0.x branch). All StatusNet users are encouraged to upgrade to either version 0.9.9 or 1.0.0beta2 as soon as possible. Until upgrading is possible, it's recommended to disable realtime browser updates with the Meteor plugin or other realtime plugins.

Incorrectly sanitized input from the URL for "tag stream" pages, combined with incorrect encoding of dynamically-generated JavaScript, allows an attacker to create a carefully-crafted URL that will execute arbitrary JavaScript code on other users' browsers. The code has been corrected by a) sanitizing tag input from the URL and b) encoding arguments to JavaScript more carefully, to escape harmful characters.

StatusNet's cloud services and StatusNet OnDemand have been updated to the corrected code.

Thanks to to Yvan and the rest of the Mozilla Security team for this bug report. The attack was identified as part of the Mozilla Security Bug Bounty Program, a great program. mozilla.status.net is a great community of Mozilla Drumbeat folks on our Open Source platform, so it's nice to have it covered by the bug bounty program.
 

 

Comments

Post new comment

Please note that blog comments are not monitored by our support staff. If you need assistance please visit our forums at forum.status.net or see the Support page for other options.
The content of this field is kept private and will not be shown publicly.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.