oss-sec mailing list archives
Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 16 Jan 2015 00:06:50 +0100
On Thu, 15 Jan 2015 16:44:39 -0500 Daniel Kahn Gillmor <dkg () fifthhorseman net> wrote:
Is a bit troubling, because it seems to rely on the Subject: line for necessary context in interpreting the signed message.
There's probably no better evidence for the severe usability issues pgp-based mail has than people on a mailing list of IT security specialists explaining each other how to properly use it :-) Having said that: I have a rough kind-of-proposal to fix exactly that problem. I think pgp not encrypting/signing the subject is one of its major usability fails. I'll send my ideas to the gpg dev list soon, will post a link here when done. Let's see if we can at least fix that. -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Steffen Rösemann (Jan 13)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 14)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Daniel Kahn Gillmor (Jan 15)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Hanno Böck (Jan 15)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 16)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Daniel Kahn Gillmor (Jan 15)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality cve-assign (Feb 12)
- Re: CVE-Request -- CMS b2evolution v.5.2.0 -- Reflecting XSS vulnerability in filemanager functionality Henri Salo (Jan 14)