Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 27 Oct 2011 16:00:48 -0500
From: Jamie Strandboge <>
To: Craig Barratt <>,, 
	oss-security <>
Subject: CVE Request: Security issue in backuppc

Hi Craig,

While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
another XSS vulnerability in when accessing the following URLs
in backuppc:
index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>

You are being emailed as the upstream contact. Please keep[1] CC'd for any updates on this issue.

To oss-security, can I have a CVE for this? It is essentially the same
vulnerability and fix as for CVE-2011-3361, but in CGI/ instead
of CGI/ Attached is a patch to fix this issue. Tested on
3.0.0, 3.1.0, 3.2.0 and 3.2.1.

Jamie Strandboge             |

View attachment "view.diff" of type "text/x-patch" (410 bytes)

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ