search

turnermm / news

Dokuwiki plugin for creating external newsfeeds for feed readers
http://www.dokuwiki.org/plugin:news
0 stars 6 forks source link

multiple possible vulnerabilities #8

Closed splitbrain closed 8 years ago

splitbrain commented 9 years ago

See http://php-grinder.com/project/view/20300

In scripts/newsfeed.php is an XSS vulnerability. I could pass an attack vector to $_POST['feed_ref'];

I haven't check the other reported problems in detail.

turnermm commented 9 years ago

On 12/1/2015 12:58 PM, Andreas Gohr wrote:

See http://php-grinder.com/project/view/20300

In scripts/newsfeed.php is an XSS vulnerability. I could pass an attack vector to $_POST['feed_ref'];

I haven't check the other reported problems in detail.

— Reply to this email directly or view it on GitHub https://github.com/turnermm/news/issues/8.

Something is wrong with grinder. It's not correctly downloading urls from github.

Myron Turner http://mturner.org/ https://github.com/turnermm

This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

splitbrain commented 9 years ago

What do you mean? I can see the problems listed by grinder in the sources of your github repo?

turnermm commented 9 years ago

On 12/2/2015 9:11 AM, Andreas Gohr wrote:

What do you mean? I can see the problems listed by grinder in the sources of your github repo?

— Reply to this email directly or view it on GitHub https://github.com/turnermm/news/issues/8#issuecomment-161327717.

That's I assume from your original. But I test on test branches: https://github.com/turnermm/news/tree/grinder

And the other day I used test branches without any issue.

Myron Turner http://mturner.org/ https://github.com/turnermm

This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

turnermm commented 9 years ago

for instance: http://php-grinder.com/project/view/21387

splitbrain commented 9 years ago

Ah okay. I'm currently going through all DokuWiki plugins with a github repo that trigger warnings in grinder. I go through the reports and do very rough assessment of if the grinder problems could be real vulnerabilities. If so I open issues. All grinder tests I did happened on master, so if you started to fix things in other branches already, please feel free to close my issues. I might continue opening issues for things you already fixed in other branches, just to keep track. Sorry for that. Again, feel free to close anything you have fixed already.

BTW: grinder wants github repository URLs, not zip files.

turnermm commented 9 years ago

I used zip, tar.gz, and github URLs, and all have worked, until this morning. I started with github URLs and then tried the others when that failed.

turnermm commented 9 years ago

I keep getting the 'Archive Error' message, no matter what url I use. Could you try: https://github.com/violetfish/news violetfish is a second account I keep for testing things. I emailed them but haven't heard back. Thanks. Myron

turnermm commented 9 years ago

The error is with grinder. See for instance another recent github archive that's gottne the same message: http://php-grinder.com/project/view/21417

turnermm commented 8 years ago

news plugin vulnerabilities fixed in newsfeed.php

turnermm commented 8 years ago

Looks like php-grinder is fixed for github.

turnermm commented 8 years ago

http://php-grinder.com/project/view/21978