Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 04 Jan 2012 14:08:49 -0700
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Mühlenhoff <jmm@...til.org>,
        Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
        security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On 01/03/2012 02:21 PM, Kurt Seifried wrote:
> On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
>> On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
>>> Hi Craig,
>>>
>>> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
>>> another XSS vulnerability in View.pm when accessing the following URLs
>>> in backuppc:
>>> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
>>> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
>>>
>>> You are being emailed as the upstream contact. Please keep
>>> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
>>>
>>> To oss-security, can I have a CVE for this? It is essentially the same
>>> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
>>> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
>>> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
>> *ping*
>>
>> This hasn't ended up in a CVE assignment.
>>
>> Cheers,
>>         Moritz
> I believe as per ADT4 these issues should be merged into the existing
> CVE-2011-3361:
>
> ADT4:
>
>

As Steve has pointed out, this was incorrect (different researcher found
the second vuln). So the previous issue:

CVE-2011-3361 is related to "Ensure $num is numeric in lib/BackupPC/CGI/Browse.pm to avoid XSS attack."

=====================

For this new issue please use CVE-2011-4923 which covers:

View.pm XSS vulnerabilities exploited via urls such as:

index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>

Sorry for the mess.


-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ