Permalink
Browse files

3.0.4 changelog update

  • Loading branch information...
1 parent f8bbc0a commit 303352926be62c96ac0c1f636e74faa64cc92104 @chillu chillu committed Jan 4, 2013
Showing with 45 additions and 1 deletion.
  1. +45 −1 docs/en/changelogs/3.0.4.md
View
46 docs/en/changelogs/3.0.4.md
@@ -5,11 +5,14 @@
* Security: Information leakage through web access on YAML configuration files
* Security: Information leakage through web access on composer files
* Security: Require ADMIN permissions for `?showtemplate=1`
+ * Security: Reflected XSS in custom date/time formats in admin/security
+ * Security: Stored XSS in the "New Group" dialog
+ * Security: Reflected XSS in CMS status messages
* Changed `dev/tests/setdb` and `dev/tests/startsession` from session to cookie storage.
## Details
-### Security: Prevent web access to YAML and composer files
+### Security: Information exposure through web access on YAML configuration files
Severity: Moderate
@@ -52,6 +55,47 @@ which might expose some of the internal template logic.
## Upgrading
+### Security: Reflected XSS in custom date/time formats in admin/security
+
+Severity: Low
+
+Prerequisite: An attacker must have access to the admin interface.
+
+Description: When creating a new user on the security page
+(Security->New User) within the admin interface, the user input
+is not properly validated and not encoded. A reflected XSS is
+possible within the `DateFormat_custom` and `TimeFormat_custom` fields.
+
+Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)
+
+### Security: Stored XSS in the "New Group" dialog
+
+Severity: Low
+
+Prerequisite: An attacker must have access to the admin interface.
+
+Description: There is a stored XSS vulnerability on the "group" tab on the
+security page in the admin interface
+(Security -> Groups -> New Group). It's possible to store a
+XSS within the group name. Everywhere where these group names
+are used, the XSS is executed. E.g. "New User" or "New Group".
+
+Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)
+
+### Security: XSS in CMS status messages
+
+Severity: Low
+
+Prerequisite: An attacker must have access to the admin interface.
+
+Description: Any data returned to CMS status messages (Growl-style popovers on top right)
+was not escaped, allowing XSS e.g. when publishing a page with
+a specifically crafted "Title" field.
+
+Credits: Andreas Hunkeler (Compass Security AG, http://www.csnc.ch)
+
+### Misc
+
* If you are using `dev/tests/setdb` and `dev/tests/startsession`,
you'll need to configure a secure token in order to encrypt the cookie value:
Simply run `sake dev/generatesecuretoken` and add the resulting code to your `mysite/_config.php`.

0 comments on commit 3033529

Please sign in to comment.