Full Disclosure mailing list archives
ReviewBoard Vulnerabilities
From: Craig Young <vuln-report () secur3 us>
Date: Thu, 8 Aug 2013 23:53:46 -0400
ReviewBoard (www.reviewboard.org) aims to 'take the pain out of code review'. Integration with source control makes it imperative to maintain proper protections on this server. I have worked with the developers to resolve multiple XSS conditions and harden web server configurations. The XSS conditions are resolved by upgrading to the latest release but the arguably more important fix (configuration change) must be manually applied to existing sites. ReviewBoard admins are advised to upgrade and review your Apache/nginx configurations to avoid access control bypass, code execution, and xss. I have prepared a blog post to explain the issues and provide proof-of-concept/reproduction information: http://www.tripwire.com/state-of-security/vulnerability-management/vulnerabilities-its-time-to-review-your-reviewboard/ Thanks, Craig Young Security Researcher, Tripwire VERT @CraigTweets _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ReviewBoard Vulnerabilities Craig Young (Aug 09)