oss-security - Re: CVE Request: Security issue in backuppc

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 3 Jan 2012 20:55:19 +0100
From: Moritz Mühlenhoff <jmm@...til.org>
To: oss-security@...ts.openwall.com
Cc: Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
	security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
> Hi Craig,
> 
> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
> another XSS vulnerability in View.pm when accessing the following URLs
> in backuppc:
> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
> 
> You are being emailed as the upstream contact. Please keep
> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
> 
> To oss-security, can I have a CVE for this? It is essentially the same
> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.

*ping*

This hasn't ended up in a CVE assignment.

Cheers,
        Moritz

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.