XSS in PhocaGallery 2.7.5

OnkelBens · Post by **OnkelBens** » 16 Dec 2010, 17:03

http://127.0.0.1/www23/administrator/in ... ground:red;

hope for a quick patch

Post by **Benno** » 16 Dec 2010, 22:47

Hi,
http://127.0.0.1/www23/administrator/in ... round:red;
Can not work. 127.0.0.1 is normaly a local IP
Kind regards,
Benno

OnkelBens · Post by **OnkelBens** » 17 Dec 2010, 13:59

How I should know the path of your joomla?
So it's easyest way, to just post my link.
with a little bit of thinking, you would have tried the path on your install, seeing what happens then.

Post by **Jan** » 17 Dec 2010, 19:55

Hi, I will take a look at it, anyway this is not a really security issue, as the site is protected by admin passoword. I cannot imagine that some administrator (who have access to the admin) will "play" with javascript "hacks" fot himself if he has access to files and database ...

Will try to fix it for the next version.

Jan

OnkelBens · Post by **OnkelBens** » 20 Dec 2010, 10:47

I'm logged in into my admin backend the whole day at work. With this
issue it's enough to visit an evil page, to execute some js in the backend.
Can't belive people still thinking, xss isn't dangerous.
U read about the (i tthink it was) fedora server hacks? They rooted the Server of the fedora project, and
this attack started with some simple xss.

xss ALWAYS needs a quick securityfix!

Post by **Jan** » 22 Dec 2010, 20:36

Hi, will be fixed in next version - as soon as possible. I hope I will fix it today.

Yes you right, it can be a problem if you are logged the whole day into Joomla! admin and you are visiting evil pages.

In Phoca Gallery 3, there is no such problem.

Jan

I will fix it as soon as possible but some tips for other users (in case this will be not fixed in some other component - as the standard Joomla! framework code was used):

- if it is possible, use only one browser to admin your Joomla! site (don't use this browser for visiting other sites)
- if it is not possible, clear private data before loggin into your administration, don't use tabs in this browser while administrating your Joomla!
- log off after every finished work in your administration.

Post by **Jan** » 23 Dec 2010, 02:05

Fixed in 2.7.6

Jan

OnkelBens · Post by **OnkelBens** » 03 Jan 2011, 11:08

thx a lot, and once again, thx for your plugin!

EDIT:
please also fix all other fields in "Themes" like ssbgc and so on.

Post by **Jan** » 03 Jan 2011, 23:24

Phoca Forum

XSS in PhocaGallery 2.7.5

XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5

Re: XSS in PhocaGallery 2.7.5