Bug 438664 (CVE-2008-1468) - CVE-2008-1468 namazu XSS flaw
Summary: CVE-2008-1468 namazu XSS flaw
Status: CLOSED ERRATA
Alias: CVE-2008-1468
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://bugs.gentoo.org/show_bug.cgi?i...
Whiteboard:
Keywords: Security
Depends On: 438666 438667 438668
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-03-24 10:33 UTC by Lubomir Kundrak
Modified: 2008-05-06 16:03 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 16:03:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Lubomir Kundrak 2008-03-24 10:33:11 UTC
A vulnerability has been reported in Namazu, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed in certain character encodings (e.g. UTF-7) to
namazu.cgi is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 2.0.18.

ORIGINAL ADVISORY:
JVN: http://jvn.jp/jp/JVN%2300892830/index.html
Namazu: http://www.namazu.org/security.html.eniubvg

Comment 1 Lubomir Kundrak 2008-03-24 10:36:42 UTC
CVE name was requested.

Comment 3 Fedora Update System 2008-03-24 13:27:24 UTC
namazu-2.0.18-1.fc7 has been submitted as an update for Fedora 7

Comment 4 Fedora Update System 2008-03-24 13:32:03 UTC
namazu-2.0.18-1.fc8 has been submitted as an update for Fedora 8

Comment 5 Lubomir Kundrak 2008-03-25 08:32:55 UTC
CVE-2008-1468

Comment 6 Fedora Update System 2008-03-26 17:11:54 UTC
namazu-2.0.18-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2008-03-26 17:19:36 UTC
namazu-2.0.18-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 jonathan baron 2008-03-27 13:43:24 UTC
Update won't work because of missing dependencies:
Error: Missing Dependency: perl(time.pl) is needed by package namazu
Error: Missing Dependency: perl(util.pl) is needed by package namazu
Error: Missing Dependency: perl(document.pl) is needed by package namazu
Error: Missing Dependency: perl(nmzidx.pl) is needed by package namazu
Error: Missing Dependency: perl(var.pl) is needed by package namazu
Error: Missing Dependency: perl(conf.pl) is needed by package namazu
and likewise for namazu.cgi
This is in Fedora 8.


Comment 9 Lubomir Kundrak 2008-03-27 16:05:30 UTC
See section on filtering unwanted requires on details how to fix this.
http://fedoraproject.org/wiki/Packaging/Perl

Comment 10 Akira TAGOH 2008-03-28 11:20:37 UTC
Actually no. this was caused by following that. rpmbuild for F-8 seems not
looking into __perl_requires, but __find_requires. I have to revert that change
anyway.

Comment 11 Red Hat Product Security 2008-05-06 16:03:12 UTC
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2678
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2767




Note You need to log in before you can comment on or make changes to this bug.