Bug Report #3051

XSS issues on web site

Added by Rasmus Lerdorf almost 3 years ago. Updated almost 3 years ago.

Status:Closed Start date:07/07/2010
Priority:Urgent Due date:
Assignee:Woody Gilk % Done:

100%
Category:Web Site
Target version:v3.0.7
Resolution:fixed Points:

Description

You guys have a couple of different XSS holes on your site(s):

http://kohanaframework.org/foo?%3Cscript%3Ealert(1)%3C/script%3E
http://kohanaframework.org/guide/about.kohana/%3C/script%3E%3Cscript%3Ealert(%22xss%22);%3C/script%3E

Not exactly XSS, but you should block access to:

http://kohanaframework.org/.git/config
http://dev.kohanaframework.org/.svn/entries

Related issues

related to Kohana v3.x - Bug Report #3052: XSS issue in the error page globals section v3.0.7 Closed 07/07/2010
related to Kohana v3.x - Bug Report #3053: XSS issue in the userguide v3.0.7 Closed 07/07/2010
related to Kohana v3.x - Bug Report #3470: error screen shows an <a> tag instead of interpreting it ... v3.0.9 Closed 12/10/2010

History

#1
Updated by Woody Gilk almost 3 years ago

  • Status changed from New to Closed
  • Target version set to v3.0.7
  • Resolution set to fixed

Thanks Rasmus, two issues have been created and fixed. Let us know if you find anything else!

#2
Updated by Woody Gilk almost 3 years ago

  • % Done changed from 0 to 100

#3
Updated by Jeremy Bush almost 3 years ago

Can we just use a proper view class and get this whole issue behind us? ;)

#4
Updated by Woody Gilk almost 3 years ago

Jeremy, We can discuss that for 3.1.

Also available in: Atom PDF