Your message dated Thu, 16 Sep 2010 12:48:00 +0800
with message-id <4c91a180.3080...@goirand.fr>
and subject line SOLVED !
has caused the Debian Bug report #595248,
regarding Unescaped PHP_SELF XSS vulnerabilities in NuSOAP 0.9.5
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
595248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=595248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: nusoap
Version: 0.9.5-1
Owner: olivier.ber...@it-sudparis.eu
Tags: security
Bogdan Calin of Acunetix discovered some cross site scripting
vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of
PHP_SELF. This is an issue because of potentially malicious URLs being
constructed along the lines of:
http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E
In such an event, NuSOAP will print a WSDL output page (service
description) containing the maliciously crafted URL.
An upstream bug report exists at
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
and a preliminary patch has been provided by the MantisBT project (which
bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
--- End Message ---
--- Begin Message ---
--- End Message ---
