[opencms-dev] OpenCms (7.5.0) - Vulnerability: Cross-Site Scripting, Phishing Through Frames, Application Error
Manfred Schenk
manfred.schenk at zerobyte.de
Mon Aug 10 12:19:02 CEST 2009
Alexander Kandzior schrieb:
> Manfred,
[..]
>> Some weeks ago (I think it was short after the release of 7.5) there
>> were some discussions about security issues of the image-scaling
>> functionality. Are they already fixed or will they be fixed together
>> with the current issue?
>
> I am not aware that these issues exist, so we have not taken action. "Some
> discussions" I find too vague an issue description. If security issues
> exist, it's best to post these to a security related forum like
> www.securityfocus.com. What is posted there we take seriously.
The discussions were about a possible Denial-Of-Service attack on
opencms-based websites. A.Westermann has also been involved in this
discussion. I just had a look on the mailing-list archive and found out
that there was a little mistake in my last mail. It was not after the
release of 7.5.0 but just a week before the release. So perhaps some fix
has already been included in 7.5.0 - but I'm not sure.
I've added the old postings to this post.
Regards,
Manfred
--
| Manfred Schenk | born between RFC638 and RFC640
| PGP-Keys unter |
| http://www.ZEROByte.de/pgp/ | WWW: http://www.ZEROByte.de/
-------------- next part --------------
An embedded message was scrubbed...
From: Mika Salminen <mika.j.salminen at gmail.com>
Subject: [opencms-dev] DOS attacks made possible by image scaling?
Date: Tue, 9 Jun 2009 22:41:35 +0300
Size: 8587
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Paul-Inge Flakstad <flakstad at npolar.no>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Wed, 10 Jun 2009 01:44:57 +0200
Size: 10996
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0001.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Claus Priisholm <cpr at codedroids.com>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Wed, 10 Jun 2009 10:21:40 +0200
Size: 7246
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0002.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: "a.westermann at alkacon.com" <a.westermann at alkacon.com>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Wed, 10 Jun 2009 10:54:28 +0200
Size: 7800
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0003.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Sebastian Himberger <sebastian.himberger at gmx.de>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Wed, 10 Jun 2009 11:18:00 +0200
Size: 9453
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0004.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Claus Priisholm <cpr at codedroids.com>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Wed, 10 Jun 2009 12:46:26 +0200
Size: 11210
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0005.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Mika Salminen <mika.j.salminen at gmail.com>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Thu, 11 Jun 2009 14:45:24 +0300
Size: 24144
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0006.eml>
-------------- next part --------------
An embedded message was scrubbed...
From: Claus Priisholm <cpr at codedroids.com>
Subject: Re: [opencms-dev] DOS attacks made possible by image scaling?
Date: Thu, 11 Jun 2009 20:39:31 +0200
Size: 6981
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090810/dc282a74/attachment-0007.eml>
More information about the opencms-dev
mailing list