|
Message-ID: <20160506193041.GA4287@eldamar.local> Date: Fri, 6 May 2016 21:30:41 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: OSS Security Mailinglist <oss-security@...ts.openwall.com> Subject: CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack Hi Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site scripting vulnerability. It has been fixed with the following commit: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7 > Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012) > > The instance in cgierror() is a potential cross-site scripting attack, > because an attacker could conceivably cause some module to raise an > exception that includes attacker-supplied HTML in its message, for > example via a crafted filename. (OVE-20160505-0012) > > The instances in preprocess() is just correctness. It is not a > cross-site scripting attack, because an attacker could equally well > write the desired HTML themselves; the sanitize hook is what > protects us from cross-site scripting here. Could you please assign a CVE identifier for this issue. Regards, Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.