Bug 523277 (CVE-2008-7220)
| Summary: | CVE-2008-7220 WordPress, MediaTomb, python-webhelpers, Asterisk, Plone -- embedded Prototype JavaScript FrameWork: XSS Ajax requests (AST-2009-009) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | herrold, jeff, jonathansteffan, kylev, marc | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://github.com/sstephenson/prototype/blob/master/CHANGELOG | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2021-10-19 09:09:09 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 712427 | ||||||
| Attachments: |
|
||||||
|
Description
Jan Lieskovsky
2009-09-14 17:37:07 UTC
This issue affects the versions of the WordPress package, as shipped with Fedora 10 and 11 (wordpress-2.8.4-1.fc10 and wordpress-2.8.4-1.fc11). Please fix. Prototype.js location in F10 MediaTomb (mediatomb-0.11.0-9.fc10) is in:
BUILD/mediatomb-0.11.0/web/js/prototype.js. Relevant rows:
1120 var contentType = this.getHeader('Content-type');
1121 if (contentType && contentType.strip().
1122 match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
1123 this.evalResponse();
See test/unit/ajax.html from above upstream commit for testcases.
This issue affects the versions of MediaTomb package, as shipped with
Fedora release of 10 and 11 (mediatomb-0.11.0-9.fc10 and mediatomb-0.11.0-9.fc11).
Please fix.
Prototype.js can be found in F10 python-webhelpers (python-webhelpers-0.3.4-2.fc10) under:
BUILD/WebHelpers-0.3.4/webhelpers/rails/javascripts/prototype.js
Relevant lines:
1120 var contentType = this.getHeader('Content-type');
1121 if (contentType && contentType.strip().
1122 match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
1123 this.evalResponse();
See test/unit/ajax.html from above upstream commit for testcases.
This issue affects the version of python-webhelpers package, as shipped
with Fedora 10 and 11 (python-webhelpers-0.3.4-2.fc10 and python-webhelpers-0.6.4-3.fc11).
Please fix.
This issue does NOT affect the python-Scriptaculous package, as shipped with Fedora release of 10 and 11. Latest Fedora 10 and Fedora 11 packages (python-Scriptaculous-1.8.2-2.fc10 and python-Scriptaculous-1.8.2-2.fc11) already contain updated -- 1.6.0.3 version of Prototype JavaScript framework. prototype.js location in F10 Asterisk (asterisk-1.6.0.15-2.fc10) is in:
BUILD/asterisk-1.6.0.15/static-http/prototype.js. Relevant lines:
721 if ((this.header('Content-type') || '').match(/^text\/javascript/i))
722 this.evalResponse();
723 }
See test/unit/ajax.html from above upstream commit for testcases.
This issue affects the versions of Asterisk package, as shipped
with Fedora 10 and 11 (asterisk-1.6.0.15-2.fc10 and asterisk-1.6.1.6-1.fc11).
Please fix.
Location of prototype.js in EPEL-5 Plone (plone-3.1.6-1.el5) is in:
BUILD/Plone-3.1.6/lib/python/kss/core/plugins/effects/3rd_party/prototype.js.
Relevant lines:
844 if (state == 'Complete') {
845 if ((this.getHeader('Content-type') || '').strip().
846 match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i))
847 this.evalResponse();
See test/unit/ajax.html from above upstream commit for testcases.
Please fix.
Has this issue been reported upstream to any of these projects? I have reported the vulnerability in Asterisk upstream: https://issues.asterisk.org/view.php?id=16139 Hi Jeffrey, sorry, missed your question. Asterisk upstream has now addressed the issue in AST-2009-009: http://downloads.asterisk.org/pub/security/AST-2009-009.html Could you schedule F* Asterisk updates (together with AST-2009-008 -- BZ #533137)? Thanks, Jan. asterisk-1.6.0.17-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/asterisk-1.6.0.17-2.fc10 asterisk-1.6.1.9-1.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/asterisk-1.6.1.9-1.fc11 asterisk-1.6.1.9-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. asterisk-1.6.0.17-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 450485 [details]
Upstream patch from git
(In reply to comment #16) > Upstream patch from git https://github.com/sstephenson/prototype/commit/02cc9992e915c024650ddc77a91064f7a4252914 |