Date: Thu, 27 Oct 2011 16:00:48 -0500 From: Jamie Strandboge <jamie@...onical.com> To: Craig Barratt <cbarratt@...rs.sourceforge.net>, coley@...us.mitre.org, oss-security <oss-security@...ts.openwall.com> Cc: security@...ntu.com Subject: CVE Request: Security issue in backuppc Hi Craig, While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered another XSS vulnerability in View.pm when accessing the following URLs in backuppc: index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host> You are being emailed as the upstream contact. Please keep oss-security@...ts.openwall.com CC'd for any updates on this issue. To oss-security, can I have a CVE for this? It is essentially the same vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on 3.0.0, 3.1.0, 3.2.0 and 3.2.1. -- Jamie Strandboge | http://www.canonical.com View attachment "view.diff" of type "text/x-patch" (410 bytes) Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.