Fantastic new webhost!
Bunch o stuff
25 02 2006

AshNews vulnerability

Posted by: WauloK in 1st Life

I have been researching the issue as reported by my previous webhost.

It appears around the start of February this year a vulnerability was found in AshNews 0.83 (and possibly previous versions). AshNews from Ashwebstudio allows people to inject a script into it’s url and executes the script as if it had been run from the website.

I have removed AshNews from my websites, but be careful if you have it installed. I did notice someone had been searching my websites for the phrase "Powered by Ashnews". If you have this phrase in your web stats, you may be targetted soon. They can also use Cross-site scripting to execute a script not on the website.

You can read more on the Security Focus website:

http://www.securityfocus.com/bid/16426/exploit

My suggestion is to remove AshNews and it’s subdirectories and find something else to do the news for you.

This entry was posted on Saturday, February 25th, 2006 at 9:42 am and is filed under 1st Life. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “AshNews vulnerability”
  1. Chris says:
    February 25th, 2006 at 1:33 pm - Edit

    That’s a little extreme ;)

    Just keep your software updated :P

  2. WauloK says:
    February 25th, 2006 at 1:52 pm - Edit

    There isn’t any. Ashwebstudio has not released a version since 0.83 despite saying they will time and time again.
    They’ve remodelled their website and have promised to release new software soon, but 0.83 is the latest version and it’s vulnerable.
    So :P to you too!

  3. Chris says:
    February 26th, 2006 at 5:48 pm - Edit

    Well that’s just plain silly!

Leave a Reply