Alleged Security Issue in Lighthouse

On February 10, 2006 it has been brought to our attention that the web page pridels.blogspot.com claims to have found a security issue regarding Lighthouse on December 18, 2005. Under http://pridels.blogspot.com/2005/12/lighthouse-cms-xss-vuln.html it is being claimed that Lighthouse is supposedly susceptible to client-side cross-site-scripting-attacks.

We wish to inform you that this notification is false: The allegation is lacking any basis. The Lighthouse Content Management System is not, and never has been, susceptible to attacks like this and does not exhibit any known security issues in this or any other way. In our opinion, security warnings concerning software products have to be taken very seriously; this, however, requires that security warnings are verified diligently before being made public.

We regret how carelessly this has been handled by pridels.blogspot.com and wish to point out the following:

We have not, neither before nor after the publication mentioned above, been informed of this alleged security issue.
Other web pages, e.g. http://www.osvdb.org/displayvuln.php?osvdb_id=21852, have copied the false statement without further verification and describe the alleged issue like this: "This flaw exists because the application does not validate the 'search' variable upon submission to the 'index.php' script." This statement is absurd, because Lighthouse does not in any way make use of the PHP technology.
The Lighthouse Content Management System is an application server, providing the user with powerful functionality to create, program and manage web-based applications. A technology like this cannot be susceptible to client-side cross-site-scripting-attacks on its own, but only applications created based on such a technology. This does not only apply to Lighthouse, but also to Perl, PHP or web applications based on Java Servlet technology.

[ Deutsch ] [ English ]

Home News Features Screenshots FAQ About	Alleged Security Issue in Lighthouse On February 10, 2006 it has been brought to our attention that the web page pridels.blogspot.com claims to have found a security issue regarding Lighthouse on December 18, 2005. Under http://pridels.blogspot.com/2005/12/lighthouse-cms-xss-vuln.html it is being claimed that Lighthouse is supposedly susceptible to client-side cross-site-scripting-attacks. We wish to inform you that this notification is false: The allegation is lacking any basis. The Lighthouse Content Management System is not, and never has been, susceptible to attacks like this and does not exhibit any known security issues in this or any other way. In our opinion, security warnings concerning software products have to be taken very seriously; this, however, requires that security warnings are verified diligently before being made public. We regret how carelessly this has been handled by pridels.blogspot.com and wish to point out the following: We have not, neither before nor after the publication mentioned above, been informed of this alleged security issue. Other web pages, e.g. http://www.osvdb.org/displayvuln.php?osvdb_id=21852, have copied the false statement without further verification and describe the alleged issue like this: "This flaw exists because the application does not validate the 'search' variable upon submission to the 'index.php' script." This statement is absurd, because Lighthouse does not in any way make use of the PHP technology. The Lighthouse Content Management System is an application server, providing the user with powerful functionality to create, program and manage web-based applications. A technology like this cannot be susceptible to client-side cross-site-scripting-attacks on its own, but only applications created based on such a technology. This does not only apply to Lighthouse, but also to Perl, PHP or web applications based on Java Servlet technology.
Home News Features Screenshots FAQ About	© 2004-2007 Fidra Software Entwicklung, Volker Lanz