Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F04BFE1.90604@redhat.com>
Date: Wed, 04 Jan 2012 14:08:49 -0700
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Mühlenhoff <jmm@...til.org>,
        Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org,
        security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On 01/03/2012 02:21 PM, Kurt Seifried wrote:
> On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
>> On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
>>> Hi Craig,
>>>
>>> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
>>> another XSS vulnerability in View.pm when accessing the following URLs
>>> in backuppc:
>>> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
>>> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
>>>
>>> You are being emailed as the upstream contact. Please keep
>>> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
>>>
>>> To oss-security, can I have a CVE for this? It is essentially the same
>>> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
>>> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
>>> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
>> *ping*
>>
>> This hasn't ended up in a CVE assignment.
>>
>> Cheers,
>>         Moritz
> I believe as per ADT4 these issues should be merged into the existing
> CVE-2011-3361:
>
> ADT4:
>
>

As Steve has pointed out, this was incorrect (different researcher found
the second vuln). So the previous issue:

CVE-2011-3361 is related to "Ensure $num is numeric in lib/BackupPC/CGI/Browse.pm to avoid XSS attack."

=====================

For this new issue please use CVE-2011-4923 which covers:

View.pm XSS vulnerabilities exploited via urls such as:

index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>

Sorry for the mess.


-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.