[geeklog-devel] KSES Vulnerability in 1.4.1/1.40sr6

Michael Jervis mjervis at gmail.com
Sun Apr 27 02:46:09 EDT 2008


>  OK, so I have confirmed, this can be exploited in the KSES class included
>  with 1.4.1.

Yes, the KSES class we ship is vulnerable, however, we have been
unable to find a vulnerability in Geeklog. Our use of KSES adds layers
on top, and pushing the first two examples through the story
submission, link submission, comment submission etc shows that Geeklog
itself is already hardened against them.

The style based attack is not protected against by KSES, however,
Geeklog ships without the style attribute on the HTML whitelist and we
advise against letting anyone use that.


>  Here is the quick-fix, implemented in the class as recommended in the
>  advisory, and it seems to work (my exploit now fails) but would appreciate
>  it if others could test/validate.
>
>  http://the-howards.net/kses.class.zip

When I set up a harness to test our KSES class, I found the fix did
not work with the first attack published (the PHP execution one).

If you could submit sample exploits to the security list (which is a
closed private list) so we can re-validate our findings, that would be
great.

Cheers,

Mike



-- 
Michael Jervis
mjervis at gmail.com
504B03041400000008008F846431E3543A820800000006000000060000007765
62676F642B4F4D4ACF4F0100504B010214001400000008008F846431E3543A82
0800000006000000060000000000000000002000000000000000776562676F64
504B05060000000001000100340000002C0000000000



More information about the geeklog-devel mailing list