Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Sep 2010 15:13:50 -0500
From: Raphael Geissert <>
Subject: CVE request: XSS in nusoap


A XSS vulnerability has been reported against the nusoap PHP library caused 
by insufficient sanitation of untrusted data ($_SERVER['PHP_SELF']) -- 

Original report against mantisbt:

Report against nusoap (and further references):

The fixes proposed by David Hicks[1] (from mantisbt) add escaping to some 
other variables, but I haven't verified if they are actually exploitable (if 
that's so, the patch might need to pass the charset to htmlentities too.)


Could a CVE id be assigned?

Raphael Geissert - Debian Developer -

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ