Forum OpenACS Development: YUI Vulnerability

Collapse
1: YUI Vulnerability
Posted by Michael Aram on 10/19/17 10:15 AM
October 30, 2012 -- A XSS vulnerability has been discovered in some YUI 2 .swf files from versions 2.4.0 through 2.9.0. This defect allows JavaScript injection exploits to be created against domains that host affected YUI .swf files. This vulnerability is similar to, but not the same as, the vulnerability that was announced in 2010.

see https://yuilibrary.com/support/20121030-vulnerability/

I have drawn a sample and downloaded the charts.swf that is currently checked in in ajaxhelper. It turns out that it is an affected version (md5 checksum is listed as affected).

So, firstly, the files in CVS should be patched. Secondly, everyone who has these files on their servers should upgrade, whether or not these components are used!

All the best,
Michael

Collapse
2: Re: YUI Vulnerability (response to 1)
Posted by Gustaf Neumann on 10/19/17 12:27 PM
Thanks for the report. I've updated CVS HEAD and the oacs-5-9 branch and bumped the version numbers, such that users of APM can get these changes smoothly.

The general recommendation is to consider the phase out of YUI in OpenACS applications since the development of YUI has stopped (in 2014, [1,2]).

[1] https://yahooeng.tumblr.com/post/96098168666/important-announcement-regarding-yui
[2] https://www.sitepoint.com/death-yui-can-teach-developers/