Date: Fri, 6 May 2016 21:30:41 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack Hi Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site scripting vulnerability. It has been fixed with the following commit: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7 > Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012) > > The instance in cgierror() is a potential cross-site scripting attack, > because an attacker could conceivably cause some module to raise an > exception that includes attacker-supplied HTML in its message, for > example via a crafted filename. (OVE-20160505-0012) > > The instances in preprocess() is just correctness. It is not a > cross-site scripting attack, because an attacker could equally well > write the desired HTML themselves; the sanitize hook is what > protects us from cross-site scripting here. Could you please assign a CVE identifier for this issue. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ