Date: Thu, 27 Jul 2006 14:56:58 +0200
From: Krischan Jodies <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Cross Site Scripting vulnerability in ipcalc
Dear Bartosz,
ipcalc made it to bugtraq this week, because someone discovered a xss
vulnerability in the cgi script. We have this script in debian stable:
oscar:~# dpkg -L ipcalc
/.
/usr
/usr/bin
/usr/bin/ipcalc
/usr/share
/usr/share/doc
/usr/share/doc/ipcalc
/usr/share/doc/ipcalc/README
/usr/share/doc/ipcalc/README.Debian
/usr/share/doc/ipcalc/copyright
/usr/share/doc/ipcalc/changelog.Debian.gz
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/ipcalc.1.gz
/usr/share/man/man1/ipcalc_cgi.1.gz
/usr/lib
/usr/lib/cgi-bin
/usr/lib/cgi-bin/ipcalc
The fix is trivial, and I would suggest to apply it to the stable version:
oscar:/home/kjodies# diff -u ipcalc ipcalc.new
--- ipcalc 2006-07-27 14:52:31.453712512 +0200
+++ ipcalc.new 2006-07-27 14:53:16.011938632 +0200
@@ -11,7 +11,7 @@
$|=1;
$ipcalc = "/usr/bin/ipcalc";
-$actionurl = $ENV{'REQUEST_URI'};
+$actionurl = $ENV{'SCRIPT_URL'};
use CGI;
$query = new CGI;
$host = $query->param('host');
For unstable I published a new release:
http://jodies.de/ipcalc-archive/ipcalc-0.41.tar.gz
It contains no changes except the above patch.
Greetings,
Krischan
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
