Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 31 Oct 2012 17:30:28 -0600
From: Raphael Geissert <geissert@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: LetoDMS, more issues

On Wednesday 31 October 2012 09:31:13 Kurt Seifried wrote:
> On 10/30/2012 01:28 PM, Raphael Geissert wrote:
> > On Friday 05 October 2012 23:11:36 Raphael Geissert wrote:
> >> Regression in the above patch (fixed after the release of
> >> 3.3.9):
> >> http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/o
> >> ut/out.UsrMgr.php?r1=982&r2=981&pathrev=982
> 
> Does this regression cause a security issue (e.g. did accidentally
> putting htmlspecialchars() in actually cause a new XSS?).

I don't think so. The commit log says[1]:
"no need to escape with htmlspecialchars() because UI::contentSubHeading() 
does it too."

[1]http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=982

Thanks,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.