[Secure-testing-team] Re: Bug#335997: flyspray: Multiple XSS vulnerabilities

Pierre Habouzit pierre.habouzit at m4x.org
Mon Dec 19 16:03:21 UTC 2005 

Le Lun 19 Décembre 2005 17:02, Pierre Habouzit a écrit :
> Le Lun 19 Décembre 2005 16:54, Thijs Kinkhorst a écrit :
> > On Mon, 2005-12-19 at 16:47 +0100, Pierre Habouzit wrote:
> > > -6 is the package that will fix all that should be, and it'll
> > > enter etch in 10 days from now.
> >
> > Great, my interest is that the problem is addressed in the best way
> > possible :) What about stable, do you want to prepare new updated
> > packages or is the current fix ok?
>
> the current fix has a nasty side effect, it leads to 342544
>
> a solution has to be brewed from the 001_update1.patch (IIRC) that
> performs checks in the regexp.php file IIRC.
>
> I should say I've not the time atm to extract it myself.
>
>
> Though, please note that this XSS vulneratibility IS really minor :
> it has to be created from a user that stole you a PHPSESSID, and made
> a treacheous search, and force the user to use 'last search result'
> *BEFORE* you do a new search yourself, which is *REALLY* unlikely.
> that is not doable for anonymous users.
>
> I'll try to have a minimalist patch ASAP, but stable version is not
> really based on the same code (I mean the version in unstable is
> quite bigger) and I'm not sure a patch is that simple to transpose
> (you must have seen that my patch was quite brutal : I escaped any
> POST-ed or GET-et variable, which is most of the time OK, but which
> is not really nice not "the right way" since it results in some
> entities showing up in mails).

In fact, I'm just not sure that stable is concerned, as the 'last 
search' link does not exists in it as far as I remember.
-- 
·O·  Pierre Habouzit
··O                                                madcoder at debian.org
OOO                                                http://www.madism.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20051219/86732611/attachment.pgp

More information about the Secure-testing-team mailing list