[OSM-dev] XSS Vulnerabilities
Andy Allan
gravitystorm at gmail.com
Tue Jan 15 09:26:19 GMT 2008
On Jan 15, 2008 12:16 AM, Tom Hughes <tom at compton.nu> wrote:
> In message <478BDC25.9050704 at notthesame.co.uk>
> Callum Noble <callum at notthesame.co.uk> wrote:
>
> > I notice that the message sending section of the openstreetmap.org site
> > is vulnerable to type 2 XSS attacks.
>
> Well thank you for announcing that on a public mailing list. Do you
> not think an email to webmaster might have been more sensible?
Easy Tom, don't flame the guy. The last time anyone mentioned an XSS
problem with our site, SteveC himself sent it to dev, asking the
reporter to log it on trac. How much more public can you get?
http://lists.openstreetmap.org/pipermail/dev/2007-July/005618.html
Perhaps we should set up a security@ alias, and make it obvious on our
website (perhaps on http://wiki.openstreetmap.org/index.php/Contact at
least) as to how you can contact the admins privately with security
issues.
Cheers,
Andy
More information about the dev
mailing list