Cross Site Scripting

We wanted our clients to know that security researchers discovered cross site scripting vulnerabilities in numerous Tendenci modules  yesterday. Specifically a munged URL could be used in spam creating a link that looked legitimate. When a user clicked that link it would have then redirected them to a different site as intended by the bad guy.

The vulnerabilities have been patched and our programming team is continuing to test our security functions.

The timeline was we were contacted by security researcher Russ and Secunia yesterday morning. The patches were posted live on the server farm within hours.

Our biggest take away is a sense of gratitude for security researchers who help us keep our products and the Internet secure. It can be a thankless task so to be clear our position is THANK YOU!

FAQ:

Q: Did we lose any data?

A: No.

Q: Did any of our secure content get accessed?

A: No.

Q: Did any spammers take advantage of the cross site scripting vulnerabilities to redirect users?

A: We are researching this. So far we have only seen the safe tests run by the security researchers.

Q: What else do I need to do?

A: Nothing at this time. We have security as our top priority and will continue to do so.

Thanks,

Jennifer Brooks

UPDATE:
We are very pleased to read Russ’ post about our quick response to the Cross Site Scripting vulnerability, entitled ‘Fastest Fix in the West:  a vendor’s excellent response’.  We are amazingly passionate about Security, our software and our amazing Clients – so this recognition means a lot. Here’s an excerpt of his post:

Rare is the occasion when one who researches and responsibly reports
web application vulnerabilities is met with an open, immediate,
consumer oriented response from a vendor. But so it was when I let the
folks who develop Tendenci, a Schipul offering, know about a few XSS
issues…  To Schipul I say well done, extremely well done, and thank you…. (read the rest of the post)