Support Spidean
Do you like our FREE downloads? How about the FREE support for the FREE downloads? Please help us out and donate any amount! It's fast and easy through PayPal.

Spidean Forums

Board Index > Support > Newbie Security Question


 < Last Thread   Next Thread >New Topic  Post Reply
Author: Subject: Newbie Security Question
mbrody
Newbie





Posts: 8
Registered: 5/11/2005
Status: Offline

   posted on 12/30/2005 at 01:12 AM
I found the following post at news.postnuke.com:

Posted by: markwest on Thursday, March 10, 2005 - 08:50 AM

PostWrap is reportedly affected by a cross-site scripting vulnerability. This issue is due to the application failing to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
References:
http://www.securityfocus.com/bid/12505/info
Vender: http://spidean.mckenzies.net

Has this issue been resolved?

Thanks

Michael
 
Reply With Quote
Shawn
Administrator




Posts: 4607
Registered: 10/7/2002
Status: Online

   posted on 12/30/2005 at 05:52 AM
This has been explained multiple times in the posts at PostNuke (found in the News articles). And I have attempted to post on any security website where I have seen this.

This is not a vulnerability. If you disable all of the security in PostWrap, specifically the "Compare URLs against URL Security?" which is enabled by default, then you may open up some possible minor security issues. Likewise, if you disable ALL security settings in Windows or Linux, then you may be vulnerable to some exploit.

Thanks!
-Shawn

[Edited on 12/30/2005 by Shawn]
 
Reply With Quote
mbrody
Newbie




Posts: 8
Registered: 5/11/2005
Status: Offline

   posted on 4/3/2006 at 05:43 PM
Ok,

I have the settings as follows:

ALlow input from address bar : No
Compere URL's against URL Security : Yes

I have all links in site 'internal'

yet some people (a small minority) are reporting that they get the
not allowed to enter from browser bar message when using internal links..

Any idea why this is happening and
How much of a security hole to I open if i allow people to input addresses in the browser bar.

Thanks

Michael
 
Reply With Quote
Shawn
Administrator




Posts: 4607
Registered: 10/7/2002
Status: Online

   posted on 4/6/2006 at 01:54 AM
I think this is a personal firewall issue. I will hopefully release a new PostWrap soon that fixes this and changes soem things. Allowing from the address bar should really not pose any security problems.

-Shawn
 
Reply With Quote
New Topic    Post Reply


Main Menu

Get AutoTheme

Featured Item
Clan 30 Red
Clan 30 Red
$19.95

Poll

How do you like the new look?

[ Results | Polls ]

Votes: 156
Powered by the AutoTheme HTML Theme System
Page created in 0.091944 Seconds