Package: sitebar Version: 3.3.8-1 3.2.6-7 Severity: serious Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the command parameter." According to the SiteBar svn history page [1], this has not been fixed upstream. The original report [2] contains a simple proof-of-concept. I have not tested it. The CVE indicates that the version in Sarge is also vulnerable. Please mention the CVE in your changelog. Thanks, Alec [1] http://teamforge.net/viewcvs/viewcvs.cgi/trunk/doc/history.txt?view=markup [2] http://www.site.com/sitebar/command.php?command=[CODES] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFErx2dAud/2YgchcQRAhC0AJwP1iEPWCGSnv+4rViEmVMWLJeXIACgl76m hZT2luFqY9Er9egsx7tx6k4= =djii -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
