|
Message-Id: <201210311730.28969.geissert@debian.org> Date: Wed, 31 Oct 2012 17:30:28 -0600 From: Raphael Geissert <geissert@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: LetoDMS, more issues On Wednesday 31 October 2012 09:31:13 Kurt Seifried wrote: > On 10/30/2012 01:28 PM, Raphael Geissert wrote: > > On Friday 05 October 2012 23:11:36 Raphael Geissert wrote: > >> Regression in the above patch (fixed after the release of > >> 3.3.9): > >> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/o > >> ut/out.UsrMgr.php?r1=982&r2=981&pathrev=982 > > Does this regression cause a security issue (e.g. did accidentally > putting htmlspecialchars() in actually cause a new XSS?). I don't think so. The commit log says[1]: "no need to escape with htmlspecialchars() because UI::contentSubHeading() does it too." [1]http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=982 Thanks, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.