[Secure-testing-team] Bug#583290: zonecheck: XSS security bug in the CGI
Stephane Bortzmeyer
bortzmeyer at nic.fr
Wed May 26 19:40:00 UTC 2010
Package: zonecheck
Version: 2.0.4-13
Severity: grave
Tags: security
Justification: user security hole
There is XSS security bug in Zonecheck cgi up to version 2.1.0. Fixed
upstream in 2.1.1.
The patch is simple and can probably be backported:
http://cvs.savannah.gnu.org/viewvc/zonecheck/zc/publisher/html.rb?root=zonecheck&r1=1.79&r2=1.80
The bug has already been exploited in the wild:
http://www.xssed.com/mirror/61096/
The upstream bug report: https://savannah.nongnu.org/bugs/?29967
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages zonecheck depends on:
ii iputils-ping 3:20071127-1 Tools to test the reachability of
ii ruby 4.2 An interpreter of object-oriented
zonecheck recommends no packages.
zonecheck suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list