Package: elog
Version: 2.6.1+r1642-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
when editing a log entry in HTML mode, elog accepts arbitrary JavaScript
code. This code will be executed in the browser of other users viewing the
entry (provided they have JavaScript enabled), thus exposing the users
to a XSS (cross site scripting) attack.
To reproduce the problem, add or edit a log entry, switch to HTML mode
and enter the following code snippet:
--------------------------------8<------------------------------
<script type='text/javascript'>
<!--
alert("There seems to be the possibility of an XSS attack...");
//-->
</script>
--------------------------------8<------------------------------
When viewing the entry, a JavaScript Popup should appear.
To remedy the problem, all <script> tags should be filtered out (or
better yet, only "safe" HTML code should be allowed). At the very least,
it should be possible to disable HTML entries (and this should be the
default, with a big warning if someone wants to change it).
Cheers, Til
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-amd64-k8-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages elog depends on:
ii adduser 3.97 Add and remove users and groups
ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries
elog recommends no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
