On Sun, Jan 23, 2005 at 05:12:15PM +0100, Uwe Hermann wrote:
> Hi,
>
> sorry, the mail about this bug somehow got lost in my inbox...
>
> (CC to debian-devel, any help with this issue is welcome)
>
>
> On Wed, Nov 17, 2004 at 03:45:55AM +0100, Nicolas Gregoire wrote:
> > Package: info2www
> > Version: 1.2.2.9-22
> > Severity: normal
> > Tags: security
> >
> > There's a XSS vulnerabilty in the info2www CGI.
> >
> > The following URL will display the document location using Javascript :
> > /cgi-bin/info2www?(coreutils)<script>alert(document.location)<script>
>
> Hm, seems like I can't reproduce this. If I enter the above URL in a
> browser (I tried Galeon and Firefox) I get:
If I change it to /script then I can reproduce the alleged problem. I
guess I don't understand XSS vulnerabilities... The whole point is
that mallicious Mallory can post a link to nonmallicious site
nice.com/cgi-bin/info2www<script>alert("Boo!")</script>? That still
seems like a nonissue, because Mallory could just as easily have put
an alert() on his own page (okay, maybe if mallory's page is in a
"mallicious" list, and nice.com is in a "trusted" list it makes
sense).
> > Every user-supplied parameter should be sanitized before use.
>
> ACK, I'll try to check the code, but it won't be easy I guess. The code
> is from 1996, unmaintained and quite surely contains lots more security
> issues.
This shouldn't be difficult, really. The only user input comes from
the URL, and it should probably be restricted to certain character
ranges [a-z0-9-] or something.
Justin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
