Date: Thu, 27 Oct 2011 16:00:48 -0500 From: Jamie Strandboge <jamie@...onical.com> To: Craig Barratt <cbarratt@...rs.sourceforge.net>, coley@...us.mitre.org, oss-security <oss-security@...ts.openwall.com> Cc: security@...ntu.com Subject: CVE Request: Security issue in backuppc Hi Craig, While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered another XSS vulnerability in View.pm when accessing the following URLs in backuppc: index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host> You are being emailed as the upstream contact. Please keep oss-security@...ts.openwall.com CC'd for any updates on this issue. To oss-security, can I have a CVE for this? It is essentially the same vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on 3.0.0, 3.1.0, 3.2.0 and 3.2.1. -- Jamie Strandboge | http://www.canonical.com View attachment "view.diff" of type "text/x-patch" (410 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ