Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 6 May 2016 21:30:41 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: ikiwiki: HTML-escape error messages to prevent
 cross-site scripting attack

Hi

Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site
scripting vulnerability. It has been fixed with the following commit:

http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

> Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012)
> 
> The instance in cgierror() is a potential cross-site scripting attack,
> because an attacker could conceivably cause some module to raise an
> exception that includes attacker-supplied HTML in its message, for
> example via a crafted filename. (OVE-20160505-0012)
> 
> The instances in preprocess() is just correctness. It is not a
> cross-site scripting attack, because an attacker could equally well
> write the desired HTML themselves; the sanitize hook is what
> protects us from cross-site scripting here.

Could you please assign a CVE identifier for this issue.

Regards,
Salvatore

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.