18 Jun
2003
18 Jun
'03
3:39 p.m.
Hi
Hi:I just want to now..if the recently published bugs
at securityfocus
are true..sometimes te people lie on this list...thats my
question...--Visita
You seem to mean http://www.securityfocus.com/archive/1/325641 ? I just found that
by searching the site. Sadly though, that person has never contacted the team about
that issue.
As far as I can tell, that ImportDocSQL security issue was fixed since 2.5.0 - I
haven't looked into the other XSS issues, as the original poster doesn't exactly
specify them. Most actions need a valid 'session' to execute cross-site
scripting,
which is not *that* serious. Storing cookies unencrypted is documented in some of
our RFE trackers, why we don't encrypt the data currently.
But our team should definitely take some time to write a follow-up/response to that
item...
Regards,
Garvin.