Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 12 Jun 2011 16:49:33 +0200
From: Jan Lieskovsky <>
To: "Steven M. Christey" <>
CC:, Damyan Ivanov <>,
        Mark Stosberg <>,,
        Iain Arnell <>,
        Marcela Maslanova <>
Subject: CVE Request -- Data-FormValidator -- Reports invalid field as valid
 when untaint_all_constraints used

Hello, Josh, Steve, vendors,

   It was found that perl-Data-FormValidator, a HTML form user input
validator, used to treat certain invalid fields as valid, when the
untaint_all_constraints directive was used (default for majority of
Data-FormValidator routines). A remote attacker could use this flaw to
bypass perl Taint mode protection mechanism via specially-crafted input
provided to the HTML form.

Note: Hopefully Damyan, Mark can clarify here, if valid data from
       Data-FormValidator are automatically marked as untainted for
       perl Taint mode or not. If there still is perl Taint mode
       protection check present, even on valid Data-FormValidator
       data and it couldn't happen, that tainted data would be passed
       further to the script processing, then this is not a security


Could you allocate a CVE id for this?

Thank you & Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ