Date: Thu, 2 Oct 2008 18:30:47 +0200 From: Gerfried Fuchs <rhonda@....at> To: oss-security@...ts.openwall.com Subject: blosxom XSS issue (CVE-2008-2236) Hi! I'd like to inform you of a XSS issue in blosxom which was reported by Yoshinori Ohta of Business Architects Inc. and got assigned the IDs CVE-2008-2236 and JVN#03300113. The problem allowed to inject arbitrary output into the default error page and possibly any plugin that uses the $flavour variable in its output directly. A fixed version was released today and announced on the blosxom-users list: <http://sourceforge.net/mailarchive/forum.php?thread_name=20081002155914.GL10579%40sym.noone.org&forum_name=blosxom-users> The Debian Bug about the issue: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500873> The patch to fix the problem: <http://blosxom.cvs.sourceforge.net/viewvc/blosxom/blosxom2/blosxom.cgi?r1=1.83&r2=1.84> Hope that helps. :) Rhonda
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.