|
There are no translations available.
On April 13, I wrote the following email to RsWebsols: RsMonials, mods, internationalization & localization FR/NL, security issues Erik <
Dit e-mailadres is beveiligd tegen spambots, u heeft JavaScript nodig om het te kunnen bekijken
> Mon, Apr 13, 2009 at 8:35 PM
To: "Support Team (RS Web Solutions)" <
Dit e-mailadres is beveiligd tegen spambots, u heeft JavaScript nodig om het te kunnen bekijken
>
Hi
>> OK, send the script too.
It is your rsmonial scripts but simply i18n.
But then again, I also made a few small changes that just reflect my preferences. You should probably not publish those changes.
Last but not least, I've fixed a few SQL injection and XS scripting attack vulnerabilities too. I would definitely look into them.
I don't write about this in my blog posting about RsMonials, because the accepted convention is not to do that until the author makes a fix available. But then again, the tacic understanding is that in such case the author does effectively fix the vulnerabilities.
Greetings
Erik Unfortunately, RsWebsols did not act upon my email. In the meanwhile, RsMonials has already been reported having vulnerabilities elsewhere. Exploit dissemination sites: Security advisory sites: Concerning the i18n version of RsMonials that can be downloaded at this site: - I have fixed (probably) all the SQL injection vulnerabilities. (They are seriously worse and more dangerous than the XS Scripting issues!)
- If you do not publish testimonials automatically, you should not be affected by the XS Scripting issues;
- I did not meticulously fix all the XS Scripting issues, because it is the responsibility of the original author to spend time doing that;
- So, even with the i18n version, do not publish testimonials automatically, and you should be ok.
|
