Cross-site scripting in Samizdat 0.6.1

2009.02.16
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Software: Samizdat, an open publishing web application written in Ruby Vulnerability: cross-site scripting Vulnerable Versions: 0.6.1 and earlier Non-vulnerable Versions: 0.6.2, Debian package 0.6.1-3lenny1 Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch References: CVS-2009-0359, DTSA-194-1 Description: Samizdat 0.6.1 contains several code paths that fail to escape special HTML characters in message title and user full name before these strings are included in a Web page (in earlier versions, only user full name is exploitable). This allows an attacker to perform a cross-site scripting attack by including a specially crafted string in their full name or message title. Test: Login. Set your full name to a string including a special HTML character (any of &"'<>). Publish a message with a title that includes a special character. Find your message in the list of recent updates on the site front page, check the HTML source to see whether the special characters were escaped as HTML entities. Fix: Samizdat 0.6.2 includes a fix for this vulnerability. Alternatively, a patch for Samizdat 0.6.1 that closes this vulnerability is referenced above; it is also recommended to apply a second patch that improves stability of the Samizdat Sanitize module (a white-list HTML filter used to remove dangerous tags, attributes, and CSS properties from user-submitted HTML): http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-tidy-binary.patch Both patches are included in the Debian package version 0.6.1-3lenny1. Dmitry Borodaenko

References:

http://www.securityfocus.com/bid/33768
http://www.nongnu.org/samizdat/release-notes/samizdat-0.6.2.html
http://www.securityfocus.com/archive/1/archive/1/500961/100/0/threaded
http://www.mail-archive.com/debian-testing-security-announce@lists.debian.org/msg00171.html
http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top