Close

dadaimc : http://www.dadaimc.org

Security Vulnerabilities

Javascript XSS Vulnerability

Background

dadaIMC is content management software for the development of an Independent Media Center site.

Description

Versions of dadaIMC prior to .99.2 are vulnerable to the inclusion of Javascript code within user input. Normally, user input is validated and scrubbed of malicious content, but a bug in susceptible versions of dadaIMC allowed some Javascript attributes to be ignored by the scrubber.

Analysis

Exploitation involves user input that includes HTML tags with a Javascript handler as an attribute, e.g. "onmousedown." Any valid javascript code can be executed as a result of the triggered action.

Detection

Versions of dt_FunctionLibrary.inc prior to 1.71 are susceptible to this vulnerability.

Workaround

Update your software using the Auto-Update module, or download version 1.71 or higher of the dt_FunctionLibrary.inc file from cvs.dadaimc.org.

Timeline

Reported 4-Sep-2005
Patched on 7-Sep-2005

Credit

Reported by Alster

Software

dadaIMC .99.3
[Download]

Documentation

Documentation

Report Bugs

dadaIMC uses the Mantis bug-tracking system for bug reporting. Please use it! And check for existing reports of your bug before submitting a new one.

CVS

The current CVS version of dadaIMC is now browseable online. Be forewarned, though, that it is not always in a useable state as-is!

Information Library

Donations

Support development!

Search

Advanced Search

Account Login

This site made manifest by Manifesto software