Security Advisory: January 2016, #1



A vulnerability was discovered that allowed JavaScript to be injected into the HTML view that renders channel content.

Codeux Software is not aware of any case in which this vulnerability was abused in the wild.


The vulnerability, which was discovered by Wladimir Palant, has existed since version 2.1.1 (mid-2012) of Textual.

Double quotes (") are allowed to appear inside a URL which means a person with malicious intent had the power to append code to the HTML anchor element which is used to turn a URL into a link.

The vulnerability was fixed by appropriately escaping the characters inside each URL.

Proof of Concept

This web page will be displayed to anyone who hovers their mouse pointer over the URL displayed below."onmouseover="eval(atob('d2luZG93LmxvY2F0aW9uPSdodHRwczovL2hlbHAuY29kZXV4LmNvbS90ZXh0dWFsL1NlY3VyaXR5LUFkdmlzb3J5LUphbnVhcnktMjAxNi0xLmtiJzs='))

This works by decoding the encoded data and evaluating it as JavaScript.

The encoded data, when decoded, is:

Last modified: August 23, 2017
The contents of this webpage are released into the Public Domain for unlimited distribution.