Hi Thijs, * Thijs Kinkhorst <thijs@debian.org> [2007-12-11 11:52]: > On Tuesday 11 December 2007 09:37, nion@alioth.debian.org wrote: > > Log: > > CVE-2007-6205 fixed in serendipity 1.2.1-1 > > > CVE-2007-6205 > > RESERVED > > + - serendipity 1.2.1-1 (low) > > This issue is: XSS through remote RSS feeds. > > I would rate it as unimportant myself: it requires using this specific plugin, > only with an OPML-format feed, and then the remote maintainer of that feed > needs to be interested in getting your password, Or those by the users of the blog. > and will need to put > malicious script into the url-parameter of that feed (breaking the feed for > everyone else, so it's noticable and tracable who did it). To me this > scenario sounds highly unlikely. I agree that its not a real problem to notice this and to find out who it was but this does not help you if the sensitive information already was gathered. Remember that one important fact is also that there is no reason why you should trust the remote feed just because you added it. If someone gets access to the remote host providing the feed you can do a nice distributed user credentials cashing with this. Especially considering Moritz' comment on CVE-2007-1375 I think this should be low. Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpDx0HJ9ow1O.pgp
Description: PGP signature