oss-sec mailing list archives

Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 16 Jan 2015 00:06:50 +0100

On Thu, 15 Jan 2015 16:44:39 -0500
Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:

Is a bit troubling, because it seems to rely on the Subject: line for
necessary context in interpreting the signed message.


There's probably no better evidence for the severe usability issues
pgp-based mail has than people on a mailing list of IT security
specialists explaining each other how to properly use it :-)

Having said that: I have a rough kind-of-proposal to fix exactly that
problem. I think pgp not encrypting/signing the subject is one of its
major usability fails.
I'll send my ideas to the gpg dev list soon, will post a link here when
done. Let's see if we can at least fix that.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Steffen Rösemann (Jan 13)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 14)
  - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Daniel Kahn Gillmor (Jan 15)
    - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Hanno Böck (Jan 15)
    - Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 16)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality cve-assign (Feb 12)