If you have licensed a Flexera product that has provided access to Secunia Advisories, all use of Secunia Advisories is subject to your license agreement with Flexera. If you have not licensed a Flexera product that provides access to Secunia Advisories:
a) All use of Secunia Advisories is for non-commercial use only.
b) For further information, see the End User License Agreement or contact us.

If you are an IT security professional, request a free trial of Software Vulnerability Manager.

 
Moderately critical

qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

-

Release Date:  2011-04-06    Last Update:  2011-04-26    Views:  3,219

Secunia Advisory SA43818

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Description


Two vulnerabilities have been discovered in qooxdoo, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities

User Message
thron7 RE: qooxdoo Cross-Site Scripting and File Disclosure Vulnerabilities
Member 7th Apr, 2011 17:47
Score: 0
Posts: 1
User Since: 7th Apr 2011
System Score: N/A
Location: DE
Last edited on 7th Apr, 2011 17:47
I'm one of the qooxdoo core developers. Both offending files (jsonp_primitive.php and delay.php) are just part of our own unit testing suite, and we use them only in a closed development environment. They appear in the framework's resource folders and in the optimized version of a unit test application. It is just unfortunate that the eyeOS project exposed the entire SDK, including our test suite. Normal users of the qooxdoo SDK, i.e. people building custom applications with qooxdoo, can never be exposed to this because the two files are never included in a user application built with qooxdoo. We will nevertheless mitigate the vulnerabilities, and apologize for any inconveniences.
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.