Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20081002163047.GA3002@anguilla.debian.or.at>
Date: Thu, 2 Oct 2008 18:30:47 +0200
From: Gerfried Fuchs <rhonda@....at>
To: oss-security@...ts.openwall.com
Subject: blosxom XSS issue (CVE-2008-2236)

	Hi!

 I'd like to inform you of a XSS issue in blosxom which was reported
by Yoshinori Ohta of Business Architects Inc. and got assigned the IDs
CVE-2008-2236 and JVN#03300113. The problem allowed to inject arbitrary
output into the default error page and possibly any plugin that uses the
$flavour variable in its output directly.

 A fixed version was released today and announced on the blosxom-users
list:
<http://sourceforge.net/mailarchive/forum.php?thread_name=20081002155914.GL10579%40sym.noone.org&forum_name=blosxom-users>

 The Debian Bug about the issue:
<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=500873>

 The patch to fix the problem:
<http://blosxom.cvs.sourceforge.net/viewvc/blosxom/blosxom2/blosxom.cgi?r1=1.83&r2=1.84>

 Hope that helps. :)
Rhonda

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.