User Functions


There are no upcoming events

What's New

Stories last 2 weeks

No new stories

Comments last 2 weeks

No new comments

Trackbacks last 2 weeks

No new trackback comments

Links last 2 weeks

No recent new links

Downloads last 2 weeks

No new files

Welcome to Geeklog Tuesday, December 06 2016 @ 07:06 am EST

Security issues in kses

  • Contributed by:
  • Views:

Lukasz Pilorz has found 3 security issues in kses, the HTML filter we're using in Geeklog. We have examined these issues and to the best of our knowledge, 2 of the 3 issues are not exploitable in the Geeklog context, due to additional filtering done by Geeklog. The third issue is exploitable, though, but won't affect standard installs.

The exploitable issue affects the HTML style attribute. In a standard install of Geeklog, the style attribute is not allowed, i.e. filtered out when someone attempts to use it. This has always been our recommendation, as it could be used for defacements. Lukasz has demonstrated that it could also be used for XSS. Since kses is no longer maintained, there is no patch for this issue. We therefore want to repeat our recommendation: Do not allow the style attribute for normal users and be very careful when allowing it for Admin users.

For the other two issues, Lukasz has provided a patch for kses that we've rolled into Geeklog 1.5.0, just in case. For earlier releases, you can download a drop-in replacement for kses. Again, to the best of our knowledge, the issues (which include arbitrary code execution) do not seem to be exploitable in the Geeklog context.

Since kses is no longer maintained, we will be looking into replacing it with some other HTML filter in future Geeklog releases.


Trackback URL for this entry:

[...] Geeklog versions prior to 1.5.0 are vulnerable to cross-site request forgery attacks. There are also some security issues in kses, the HTML filter we're using in Geeklog.Documentation for the new features is available from the Geeklog Wiki [...] [read more]

The following comments are owned by whomever posted them. This site is not responsible for what they say.