Bug 629585 (CVE-2010-3070)

Summary: CVE-2010-3070 php-nusoap: XSS vulnerability due improper escaping of URLs
Product: [Other] Security Response Reporter: Gianluca Sforna <giallu>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: david, jlieskov
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-21 21:34:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 633011    

Description Gianluca Sforna 2010-09-02 13:14:08 UTC 
Bogdan Calin at at Acunetix discovered a XSS vulnerability in NuSOAP 0.9.5

All details in:
http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
Comment 1 Gianluca Sforna 2010-09-02 13:46:47 UTC 
An patch is provided at:

http://www.mantisbt.org/bugs/view.php?id=12312
Comment 2 Fedora Update System 2010-09-03 03:21:48 UTC 
php-nusoap-0.9.5-1.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.fc12
Comment 3 Fedora Update System 2010-09-03 03:21:53 UTC 
php-nusoap-0.9.5-1.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.fc13
Comment 4 Fedora Update System 2010-09-03 03:21:57 UTC 
php-nusoap-0.9.5-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.fc14
Comment 5 Fedora Update System 2010-09-03 03:22:01 UTC 
php-nusoap-0.9.5-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.el5
Comment 6 Fedora Update System 2010-09-03 16:43:30 UTC 
php-nusoap-0.9.5-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update php-nusoap'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.fc14
Comment 7 Fedora Update System 2010-09-03 21:56:23 UTC 
php-nusoap-0.9.5-1.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update php-nusoap'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/php-nusoap-0.9.5-1.el5
Comment 8 Jan Lieskovsky 2010-09-12 12:58:13 UTC 
Moving this bug to Security Response Product, as it is record for security
issue. Thank you for addressing the issue.
Comment 9 Jan Lieskovsky 2010-09-12 12:59:58 UTC 
The CVE identifier of CVE-2010-3070 has been assigned to this issue:
[1] http://www.openwall.com/lists/oss-security/2010/09/07/4
Comment 10 Jan Lieskovsky 2010-09-12 13:18:01 UTC 
Fedora mantis bug:
[2] https://bugzilla.redhat.com/show_bug.cgi?id=633011
Comment 11 Gianluca Sforna 2011-02-21 21:34:33 UTC 
Looks like the update has been pushed to stable but the issue was not closed. doing it now.