[geeklog-devel] KSES Vulnerability in 1.4.1/1.40sr6

Michael Jervis mjervis at gmail.com
Sun Apr 27 02:46:09 EDT 2008

>  OK, so I have confirmed, this can be exploited in the KSES class included
>  with 1.4.1.

Yes, the KSES class we ship is vulnerable, however, we have been
unable to find a vulnerability in Geeklog. Our use of KSES adds layers
on top, and pushing the first two examples through the story
submission, link submission, comment submission etc shows that Geeklog
itself is already hardened against them.

The style based attack is not protected against by KSES, however,
Geeklog ships without the style attribute on the HTML whitelist and we
advise against letting anyone use that.

>  Here is the quick-fix, implemented in the class as recommended in the
>  advisory, and it seems to work (my exploit now fails) but would appreciate
>  it if others could test/validate.
>  http://the-howards.net/kses.class.zip

When I set up a harness to test our KSES class, I found the fix did
not work with the first attack published (the PHP execution one).

If you could submit sample exploits to the security list (which is a
closed private list) so we can re-validate our findings, that would be



Michael Jervis
mjervis at gmail.com

More information about the geeklog-devel mailing list