Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 26 Feb 2015 10:38:20 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        "tseaver@...ladion.com >> Tres Seaver" <tseaver@...ladion.com>,
        matt@...thewwilkes.name, nathan@...gheem.us,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: XSS In Zope

So originally Radek Steoger of Red Hat found an XSS in luci/conga:

==========
Within luci's use of Products.PluggableAuthService there appears to be
an XSS, e.g.:

https://luci.example.com:8084/acl_users/users/manage_updatePasswordForm?manage_tabs_message=%3Cscript%3Ealert('1234')%3C/script%3E
==========

this was tracked down to being in Products.PluggableAuthService (a
component of Zope).

I notified the Zope security people, they tracked it down on their end,
this was actually found/fixed in 2009:

https://bugs.launchpad.net/zope2/+bug/490514

https://github.com/zopefoundation/Zope/commit/2abdf14620f146857dc8e3ffd2b6a754884c331d

and the fix was forward ported from the 2.10 branch, as well as to the
2.11 branch and the trunk. The fix landed in:
  Zope 2.10.10
  Zope 2.11.5
  Zope 2.12.2

With thanks to Tres, Matt and Nathan for sorting this out/chasing it
down on Zope's end (basically they did all the heavy lifting).

So this should probably get a CVE from 2009.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ