smokeping 2.6.7 and 2.6.8. incomplete fix

2013.07.20
Credit: Seth Arnold
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2012-0790 | CVE-2013-4158
CWE: CWE-79

I am requesting a 2012 CVE for an incomplete security fix in smokeping, fixed in version 2.6.9. CVE-2012-0790 was assigned to smokeping for XSS flaws. The fix for CVE-2012-0790 in smokeping 2.6.7 was incomplete. The filtering used this blacklist: $mode =~ s/[<>&%]/./g; The version in 2.6.9 uses the following blacklist: my $xssBadRx = qr/[<>%&'";]/; (', ", and ; have been added. When it is used, blacklist chars are now turned to _ rather than . ) The 2.6.9 version prevents escaping <html attribute="..."> via " characters. The incomplete fix is in 2.6.7 and 2.6.8. This flaw was discovered by Florian Weimer [1] in 2012 and brought to our attention [2] in 2013. The upstream CHANGES [3] file includes, in part: -------------------------------------------------- 2013/03/04 - released version 2.6.9 * be more careful about preventing xss attacks, re http://bugs.debian.org/659899 (tobi) -------------------------------------------------- I have not found an up-to-date online browsable source. Thanks 1: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37 2: https://bugs.launchpad.net/ubuntu/+source/smokeping/+bug/1203061 3: http://oss.oetiker.ch/smokeping/pub/CHANGES

References:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899#37
http://oss.oetiker.ch/smokeping/pub/CHANGES
http://seclists.org/oss-sec/2013/q3/155


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top