I think this is a personal firewall issue. I will hopefully release a new PostWrap soon that fixes this and changes soem things. Allowing from the address bar should really not pose any security problems.

-Shawn

Ok,

I have the settings as follows:

ALlow input from address bar : No
Compere URL's against URL Security : Yes

I have all links in site 'internal'

yet some people (a small minority) are reporting that they get the
not allowed to enter from browser bar message when using internal links..

Any idea why this is happening and
How much of a security hole to I open if i allow people to input addresses in the browser bar.

Thanks

Michael

This has been explained multiple times in the posts at PostNuke (found in the News articles). And I have attempted to post on any security website where I have seen this.

This is not a vulnerability. If you disable all of the security in PostWrap, specifically the "Compare URLs against URL Security?" which is enabled by default, then you may open up some possible minor security issues. Likewise, if you disable ALL security settings in Windows or Linux, then you may be vulnerable to some exploit.

Thanks!
-Shawn

[Edited on 12/30/2005 by Shawn]

I found the following post at news.postnuke.com:

Posted by: markwest on Thursday, March 10, 2005 - 08:50 AM

PostWrap is reportedly affected by a cross-site scripting vulnerability. This issue is due to the application failing to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
References:
http://www.securityfocus.com/bid/12505/info
Vender: http://spidean.mckenzies.net

Has this issue been resolved?

Thanks

Michael