Hi, sorry, the mail about this bug somehow got lost in my inbox...
(CC to debian-devel, any help with this issue is welcome) On Wed, Nov 17, 2004 at 03:45:55AM +0100, Nicolas Gregoire wrote: > Package: info2www > Version: 1.2.2.9-22 > Severity: normal > Tags: security > > There's a XSS vulnerabilty in the info2www CGI. > > The following URL will display the document location using Javascript : > /cgi-bin/info2www?(coreutils)<script>alert(document.location)<script> Hm, seems like I can't reproduce this. If I enter the above URL in a browser (I tried Galeon and Firefox) I get: Sorry! - Couldn't find target: "alert(document.location)" in file "coreutils". No document location is revealed and the rest of the page is shown as usual... Can you provide another example and/or tell me what I did wrong? Also, I checked not only my local install but also some info2www installations on the internet (found using Google), they reveal the same behaviour. > Every user-supplied parameter should be sanitized before use. ACK, I'll try to check the code, but it won't be easy I guess. The code is from 1996, unmaintained and quite surely contains lots more security issues. Any help and/or patches are really welcome! Uwe. -- Uwe Hermann <[EMAIL PROTECTED]> http://www.hermann-uwe.de | http://www.crazy-hacks.org http://www.it-services-uh.de | http://www.phpmeat.org http://www.unmaintained-free-software.org | http://www.holsham-traders.de -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
