Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Jun 2016 15:40:53 +0200
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: 2015 squidguard reflected XSS

Hi,

Please assign a CVE for:

http://www.squidguard.org/Downloads/CHANGELOG
	2015-02-01	Fixed a cross site vulnerability in squidGuard.cgi

http://www.squidguard.org/Downloads/Patches/1.4/Readme.Patch-20150201

I have attached the diff against 1.4, the relevant part seem to be the two lines replacing tags
in $url.

Unsure why they added another \n to the headers, as there are already two \n.

Ciao, Marcus

--- squidGuard-1.4/samples/squidGuard.cgi.in	2008-12-23 22:08:35.000000000 +0100
+++ squidGuard-1.4-patch-20150201/squidGuard.cgi	2015-02-01 19:43:27.000000000 +0100
@@ -1,4 +1,4 @@
-#! @PERL@  -w
+#! /usr/bin/perl  -w
 #
 # Explain to the user that the URL is blocked and by which rule set
 #
@@ -6,7 +6,8 @@
 # French texts thanks to Fabrice Prigent (fabrice.prigent@...v-tlse1.fr)
 # Dutch texts thanks to Anneke Sicherer-Roetman (sicherer@...hemsoft.nl)
 # German texts thanks to Buergernetz Pfaffenhofen (http://www.bn-paf.de/filter/)
-# Spanish texts thanks to Samuel García).
+# Spanish texts thanks to Samuel García.
+# Russian texts thanks to Vladimir Ipatov.
 # Rewrite by Christine Kronberg, 2008, to enable an easier integration of
 # other languages.
 #
@@ -57,21 +58,22 @@
 #
 # CONFIGURABLE OPTIONS:
 #
-# (Currently: "en", "fr", "de", "es", "nl", "no")
+# (Currently: "en", "fr", "de", "es", "nl", "no", "ru")
 @supported   = (
 		"en (English), ",
-		"fr (Franais), ",
+		"fr (Fran&#231;ais), ",
 		"de (Deutsch), ",
-		"es (Espaol), ",
+		"es (Espa&#241;ol), ",
 		"nl (Nederlands), ",
-		"no (Norsk)."
+		"no (Norsk), ",
+		"ru (Russian)."
 	       );
 #
 # Modifiy the values below to reflect you environment
 # The image you define with "$image" and redirect will be displayed if the unappropriate
 # url is of the type: gif, jpg, jpeg, png, mp3, mpg, mpeg, avi or mov.
 #
-$image       = "/images/blocked.gif";					# RELATIVE TO DOCUMENT_ROOT
+$image       = "/Logos/md5.png";					# RELATIVE TO DOCUMENT_ROOT
 $redirect    = "http://admin.your-domain/images/blocked.gif";		# "" TO AVOID REDIRECTION
 $proxy       = "proxy.your-domain";					# Your proxy server
 $proxymaster = "operator\@...r-domain";					# The email of your proxy adminstrator
@@ -142,7 +144,7 @@
 }
 
 #
-# PRINT HTTP STATUS HEARER:
+# PRINT HTTP STATUS HEADER:
 #
 sub status($) {
   my $status = shift;
@@ -150,7 +152,7 @@
 }
 
 #
-# PRINT HTTP LOCATION HEARER:
+# PRINT HTTP LOCATION HEADER:
 #
 sub redirect($) {
   my $location = shift;
@@ -249,7 +251,7 @@
     status("404 Not Found");
   }
   if (@...es) {
-    print "Content-type: text/html\n\n";
+    print "Content-type: text/html\n\n\n";
     print "<!DOCTYPE html PUBLIC \"-//W3C//DTD  HTML 4.0 Transitional//EN\" \"http://www.w3.org/TR/REC-html40/loose.dtd\">\n";
     print "<html><head>\n";
     print "<title>$Babel{Title}</title>\n";
@@ -317,9 +319,12 @@
    showinaddr($targetgroup,$protocol,$address,$port,$path);
 }
 
+$url =~ s/</&lt;/g ;
+$url =~ s/>/&gt;/g ;
+
 status("403 Forbidden");
 expires(0);
-print "Content-type: text/html\n\n";
+print "Content-type: text/html\n\n\n";
 print "<!DOCTYPE html PUBLIC \"-//W3C//DTD  HTML 4.0 Transitional//EN\" \"http://www.w3.org/TR/REC-html40/loose.dtd\">\n";
 print "<html><head>\n";
 print "<title>$Babel{Title}</title>\n";

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ