- Credits: Designed by Liam Cooke and powered by Tumblr.
-
Following:
![[ragetoons]](http://27.media.tumblr.com/avatar_2df469cf93fe_30.png "FFFFFFFFFFFFUUUUUUUUU (ragetoons)")
![[innismir]](http://30.media.tumblr.com/avatar_d8108a6bde0f_30.png "Pointless and Vapid Bits (innismir)")
![[swytch]](http://24.media.tumblr.com/avatar_181a7b783d72_30.png "Swytch :: (swytch)")
![[thechangelog]](http://27.media.tumblr.com/avatar_1fafc82c6456_30.png "The Changelog - Open Source moves fast. Keep up. (thechangelog)")
![[demosthenes]](http://29.media.tumblr.com/avatar_924178f4ed67_30.png "the anti-shazzzam (demosthenes)")
![[fuckyeah4chan]](http://24.media.tumblr.com/avatar_af2a43cd6cc7_30.png "Fuck Yeah 4Chan (fuckyeah4chan)")
![[hybernaut]](http://30.media.tumblr.com/avatar_dbcd50f54693_30.gif "the institute of hybernautics (hybernaut)")
![[hexesec]](http://25.media.tumblr.com/avatar_ed2f6ea86b03_30.png "0x0e.org | brainzdump (hexesec)")
![[keffj]](http://30.media.tumblr.com/avatar_eac93f73588d_30.png "Untitled (keffj)")
![[jayjbeale]](http://assets.tumblr.com/images/default_avatar_30.gif "Untitled (jayjbeale)")
I reported an XSS vulnerability in SimpleID’s login page and they fixed it right quick:
quine@durandal% diff simpleid-0.6.4/www/user.inc simpleid-0.6.5/www/user.inc
27c27
< * $Id: user.inc 99 2009-05-08 10:12:51Z kmo $
—-
> * $Id: user.inc 161 2009-08-25 11:29:19Z kmo $
292c292
< if ($state) $xtpl->assign(‘state’, $state);
—-
> if ($state) $xtpl->assign(‘state’, htmlspecialchars($state, ENT_QUOTES, ‘UTF-8’));
359c359
< header(‘X-XRDS-Location’, SIMPLEID_BASE_URL . ‘/index.php?q=xrds/’ . $uid);
—-
> header(‘X-XRDS-Location: ’ . SIMPLEID_BASE_URL . ‘/index.php?q=xrds/’ . $uid);
Amazing how just a few characters makes such a difference. Also, CJI was kind enough to open an OSVDB entry for this on my behalf. Now *I* just have to mangle it…
