Freetag plugin updated to prevent XSS

Thursday, February 7. 2008
Posted by Garvin Hicking in Announcements, Security

Comments (4)
Trackbacks (0)

The Freetag plugin has been updated to version 2.96 to fix a possible XSS to the tagcloud output.

XSS attacks can be used by visitors to display foreign HTML or JavaScript to visitors of the blog, if they visit specially crafted URLs. This attack basically allows for cookie stealing.

Users of the freetag plugin should upgrade to the latest version; upgrading via Spartacus-Plugin or Spartacus.s9y.org is just a matter of a few minutes. Thanks to Alex from Bitsploit.de for reporting this issue to us.

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

user or owner can steal cookies?

#1 reinhard (Homepage) on 2008-02-08 21:21

flyinweb@126.com

#1.1 aa (Homepage) on 2008-02-20 04:13

http://www.metacafe.com/watch/1104340/vieste/

#1.2 atcore6 (Homepage) on 2008-02-24 23:43

If someone can trick you into clicking a link to your own blog, it does not matter if he's an owner, user or visitor of the blog.

This upgrade is mandatory for users of the freetag plugin.

#2 Garvin (Homepage) on 2008-02-08 21:51

Add Comment

Name
Email
Homepage
In reply to
Comment: E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

Enter the string from the spam-prevention image above:
BBCode format allowed
: Remember Information?
Subscribe to this entry

Frontpage - Top level

Freetag plugin updated to prevent XSS

Serendipity

Freetag plugin updated to prevent XSS

Quicksearch

Categories

Archives

Development state

Syndicate This Blog

More Feeds/Information