Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 6 May 2016 21:30:41 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: ikiwiki: HTML-escape error messages to prevent
 cross-site scripting attack

Hi

Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site
scripting vulnerability. It has been fixed with the following commit:

http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

> Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012)
> 
> The instance in cgierror() is a potential cross-site scripting attack,
> because an attacker could conceivably cause some module to raise an
> exception that includes attacker-supplied HTML in its message, for
> example via a crafted filename. (OVE-20160505-0012)
> 
> The instances in preprocess() is just correctness. It is not a
> cross-site scripting attack, because an attacker could equally well
> write the desired HTML themselves; the sanitize hook is what
> protects us from cross-site scripting here.

Could you please assign a CVE identifier for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ