Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 22 Feb 2018 16:46:55 +0000
From: Justin Bull <me@...tinbull.ca>
To: oss-security@...ts.openwall.com, bugtraq@...urityfocus.com, 
	fulldisclosure@...lists.org
Subject: Re: [CVE-2018-1000088] Stored XSS vulnerability in Doorkeeper gem
 v2.1.0 - v4.2.5

On Wed, Feb 21, 2018 at 5:17 PM Justin Bull <me@...tinbull.ca> wrote:

>
> Solution:
> ---------
> Upgrade to Doorkeeper v4.2.6 or later
>
>
Apologies. This fails to account for a non-trivial scenario.

Any software using Doorkeeper that has generated its own custom views[0]
requires manual work to verify there's no explicit HTML in the
`client_name` and `native_redirect_uri` field values.

This has been updated in the bulletin's Fix section[1].

[0]: https://github.com/doorkeeper-gem/doorkeeper/wiki/Customizing-views
[1]:
https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/#fix
-- 
Justin Bull
PGP Fingerprint: E09D 38DE 8FB7 5745 2044 A0F4 1A2B DEAA 68FD B34C

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.