Re: XSS in HTDIG

From: Henrik Edlund (henrik@edlund.org)
Date: 06/28/02

Previous message: Trustix Secure Linux Advisor: "TSL-2002-0058 - apache/mod_ssl"
In reply to: Peter Watkins: "Re: XSS in HTDIG"
Next in thread: webmaster (Stephen Ostermiller): "Re: XSS in HTDIG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jun 2002 19:06:29 +0200 (MET DST)
From: Henrik Edlund <henrik@edlund.org>
To: Peter Watkins <peterw@usa.net>

On Thu, 27 Jun 2002, Peter Watkins wrote:

PW> What version is this? With the sample templates in ht://Dig version
PW> 3.1.6, the "words" info seems to be properly escaped -- I just see the
PW> <script> stuff inside the text input box, and translated on the page.
PW> For example,
PW>
PW> http://www.htdig.org/cgi-bin/htsearch?config=htdig;words=%22%3E%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
PW>
PW> My example URL suggests that version 3.1.5 is also immune, though 3.1.5
PW> has other issues that 3.1.6 resolves -- see
PW> http://online.securityfocus.com/bid/3410 and
PW> http://www.htdig.org/index.html

Version 3.2.0b3 seems to be vunerable.

-- 
http://www.edlund.org/

Previous message: Trustix Secure Linux Advisor: "TSL-2002-0058 - apache/mod_ssl"
In reply to: Peter Watkins: "Re: XSS in HTDIG"
Next in thread: webmaster (Stephen Ostermiller): "Re: XSS in HTDIG"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Contacts not showing up in Address Book
... Sue Mosher, Outlook MVP ... "James" wrote in message ... > The contact addresses apparently were not resolved by the script. ... > address book) What resolves the issue and gets the contact to show up in ...
(microsoft.public.outlook.interop)
[resolved] Re: xdm & syscons failing to get along ... sometimes?
... command-line parameter for the xdm invocation in my script. ... seems to indicate that this resolves the problem quite nicely: ...
(freebsd-current)