Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [month] [year] [list] 
Date: Thu, 2 Oct 2008 18:30:47 +0200
From: Gerfried Fuchs <rhonda@....at>
To: oss-security@...ts.openwall.com
Subject: blosxom XSS issue (CVE-2008-2236)

	Hi!

 I'd like to inform you of a XSS issue in blosxom which was reported
by Yoshinori Ohta of Business Architects Inc. and got assigned the IDs
CVE-2008-2236 and JVN#03300113. The problem allowed to inject arbitrary
output into the default error page and possibly any plugin that uses the
$flavour variable in its output directly.

 A fixed version was released today and announced on the blosxom-users
list:
<http://sourceforge.net/mailarchive/forum.php?thread_name=20081002155914.GL10579%40sym.noone.org&forum_name=blosxom-users>

 The Debian Bug about the issue:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500873>

 The patch to fix the problem:
<http://blosxom.cvs.sourceforge.net/viewvc/blosxom/blosxom2/blosxom.cgi?r1=1.83&r2=1.84>

 Hope that helps. :)
Rhonda

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux