Bug 144127

Summary: CAN-2005-0085 XSS vulnerability in htdig 3.2.0b6 on FC3
Product: [Fedora] Fedora Reporter: Dave Miller <justdave>
Component: htdigAssignee: Phil Knirsch <pknirsch>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: bressers, gerv, rvokal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20050203
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-19 15:22:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Miller 2005-01-04 18:46:28 UTC 
Description of problem:
HTML metacharacters included in the config= parameter to htsearch are
displayed unmodified in the error message returned by htdig.

Version-Release number of selected component (if applicable):
3.2.0b6

How reproducible:
Always

Steps to Reproduce:
1.
http://yourfedorabox/cgi-bin/htsearch?config=%3Cscript%3Ealert('foo')%3C/script%3E
  
Actual results:
you get an alertbox that says "foo" in it.

Expected results:
You shouldn't get an alert box.

Additional info:
This error was reported to webmaster by mikx
Comment 1 Dave Miller 2005-01-04 19:03:59 UTC 
The actual package revision (left that out on the initial report --
apologies) is:

htdig-web-3.2.0b6-3

I've also reproduced this on a Fedora Core 1 box with:

htdig-web-3.2.0-19.20030601
Comment 2 Josh Bressers 2005-01-05 13:23:01 UTC 
This issue should also affect FC2.
Comment 3 Mark J. Cox 2005-01-24 11:39:41 UTC 
Hi Dave; this bug is currently marked as embargoed.  We'd like to
share the details with other vendor security teams that may ship
htdig.  Have you contacted anyone else about this issue?
Comment 5 Gervase Markham 2005-01-24 22:32:06 UTC 
Mark: Dave didn't actually discover the issue - mikx did. He
recently made about 44 XSS vulnerabilities (including one in Bugzilla)
public at the same time; I don't know if this was among them, or
whether it was a later discovery.

Gerv
Comment 6 Mark J. Cox 2005-01-25 08:30:14 UTC 
Thanks Gervase; we've spoken to Michael yesterday and he has not yet
disclosed this particular issue, believing it due to site
configuration.  We've confirmed that it isn't a template flaw and have
started talking to other vendor security teams to co-ordinate a fix.
Comment 7 Mark J. Cox 2005-02-04 08:55:53 UTC 
Removing embargo - This issue was leaked public early by SUSE.
Comment 8 Dave Miller 2005-02-22 03:36:48 UTC 
apologies for not replying sooner, I'm not getting bugmail from
Bugzilla for some reason.  I didn't report it anywhere upstream
because I didn't have any non-redhat machines to test it on to verify
it wasn't just a redhat issue.  Looks like you've already figured out
that wasn't the case though.
Comment 9 Phil Knirsch 2005-04-19 09:58:03 UTC 
Packages have been built, waiting for signing and push.

Read ya, Phil
Comment 10 Phil Knirsch 2005-04-19 15:22:00 UTC 
Packages signed and pushed, annoucenment email sent.

Closing bug.

Read ya, Phil