[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS vulnerabilities

[Pierre Habouzit]

Le Lun 19 Décembre 2005 16:54, Thijs Kinkhorst a écrit :
> On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > -6 is the package that will fix all that should be, and it'll enter
> > etch in 10 days from now.
>
> Great, my interest is that the problem is addressed in the best way
> possible :) What about stable, do you want to prepare new updated
> packages or is the current fix ok?

the current fix has a nasty side effect, it leads to 342544

a solution has to be brewed from the 001_update1.patch (IIRC) that 
performs checks in the regexp.php file IIRC.

I should say I've not the time atm to extract it myself.


Though, please note that this XSS vulneratibility IS really minor : it 
has to be created from a user that stole you a PHPSESSID, and made a 
treacheous search, and force the user to use 'last search result' 
*BEFORE* you do a new search yourself, which is *REALLY* unlikely. that 
is not doable for anonymous users.

I'll try to have a minimalist patch ASAP, but stable version is not 
really based on the same code (I mean the version in unstable is quite 
bigger) and I'm not sure a patch is that simple to transpose (you must 
have seen that my patch was quite brutal : I escaped any POST-ed or 
GET-et variable, which is most of the time OK, but which is not really 
nice not "the right way" since it results in some entities showing up 
in mails).
-- 
·O·  Pierre Habouzit
··O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/6c73043f/attachment.pgp