Hi
Hi:I just want to now..if the recently published
bugs at securityfocus
are true..sometimes te people lie on this list...thats my
question...--Visita
You seem to mean
http://www.securityfocus.com/archive/1/325641 ? I just found that
by searching the site. Sadly though, that person has never contacted the team about
that issue.
As far as I can tell, that ImportDocSQL security issue was fixed since 2.5.0 - I
haven't looked into the other XSS issues, as the original poster doesn't exactly
specify them. Most actions need a valid 'session' to execute cross-site
scripting,
which is not *that* serious. Storing cookies unencrypted is documented in some of
our RFE trackers, why we don't encrypt the data currently.
But our team should definitely take some time to write a follow-up/response to that
item...
Yes. Maybe a link on
that points to a new FAQ entry about this security
report? This way, we don't clutter the main site.
Marc Delisle