On Fri, 2006-12-08 at 17:55 +0100, Thijs Kinkhorst wrote: > On Fri, 2006-12-08 at 10:02 -0300, Alex de Oliveira Silva wrote: > > 1) The application allows users to send messages via HTTP requests > > without performing any validity checks to verify the request. This can > > be exploited to send > > messages to arbitrary users by e.g. tricking a target user into visiting a > > malicious website. > > > > 2) Input passed to the form field "Message body" in privmsg.php is not > > properly sanitised before it is returned to the user when sending > > messages to a > > non-existent user. This can be exploited to execute arbitrary HTML and > > script code in a user's browser session in context of an affected site. > > Thank you for your report. I will wait a small bit to see whether and > how upstream responds to this.
Upstream CVS commits suggests that a new release is in preparation, but it's not quite there yet. Concerning the two vulnerabilities: The second one ( CVE-2006-6421 ) is simple XSS and the patch is trivial. I've extracted it from upstream and applied it in our package repository. Consider it "pending". Sarge is NOT vulnerable to this item; please mark it as such. Thanks. The first one ( CVE-2006-6508 ) seems to concern cross site request forgery. Here I need help from the security team: is XSRF actually something we're fixing in security updates? The patch will be quite invasive for that, touching many files, and I seriously doubt whether any XSRF is adequately fixable at all. For unstable and testing, I'm tempted to wait a little bit to see what upstream releases (they are not that communicative about it). If it contains only security-related changes, I prefer to upload that to sid +etch, including the xsrf "fix", just to take the extra precaution. If not, I can easily upload only the xss-fix. Regarding sarge: I'd like to hear the security team's opinion on XSRF and whether it must be fixed. Thijs
signature.asc
Description: This is a digitally signed message part
