Bug 438664 - (CVE-2008-1468) CVE-2008-1468 namazu XSS flaw
CVE-2008-1468 namazu XSS flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
http://bugs.gentoo.org/show_bug.cgi?i...
: Security
Depends On: 438666 438667 438668
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-24 06:33 EDT by Lubomir Kundrak
Modified: 2008-05-06 12:03 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-06 12:03:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Lubomir Kundrak 2008-03-24 06:33:11 EDT
A vulnerability has been reported in Namazu, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed in certain character encodings (e.g. UTF-7) to
namazu.cgi is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 2.0.18.

ORIGINAL ADVISORY:
JVN: http://jvn.jp/jp/JVN%2300892830/index.html
Namazu: http://www.namazu.org/security.html.eniubvg
Comment 1 Lubomir Kundrak 2008-03-24 06:36:42 EDT
CVE name was requested.
Comment 3 Fedora Update System 2008-03-24 09:27:24 EDT
namazu-2.0.18-1.fc7 has been submitted as an update for Fedora 7
Comment 4 Fedora Update System 2008-03-24 09:32:03 EDT
namazu-2.0.18-1.fc8 has been submitted as an update for Fedora 8
Comment 5 Lubomir Kundrak 2008-03-25 04:32:55 EDT
CVE-2008-1468
Comment 6 Fedora Update System 2008-03-26 13:11:54 EDT
namazu-2.0.18-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2008-03-26 13:19:36 EDT
namazu-2.0.18-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 jonathan baron 2008-03-27 09:43:24 EDT
Update won't work because of missing dependencies:
Error: Missing Dependency: perl(time.pl) is needed by package namazu
Error: Missing Dependency: perl(util.pl) is needed by package namazu
Error: Missing Dependency: perl(document.pl) is needed by package namazu
Error: Missing Dependency: perl(nmzidx.pl) is needed by package namazu
Error: Missing Dependency: perl(var.pl) is needed by package namazu
Error: Missing Dependency: perl(conf.pl) is needed by package namazu
and likewise for namazu.cgi
This is in Fedora 8.
Comment 9 Lubomir Kundrak 2008-03-27 12:05:30 EDT
See section on filtering unwanted requires on details how to fix this.
http://fedoraproject.org/wiki/Packaging/Perl
Comment 10 Akira TAGOH 2008-03-28 07:20:37 EDT
Actually no. this was caused by following that. rpmbuild for F-8 seems not
looking into __perl_requires, but __find_requires. I have to revert that change
anyway.
Comment 11 Red Hat Product Security 2008-05-06 12:03:12 EDT
This issue was addressed in:

Fedora:
  https://admin.fedoraproject.org/updates/F7/FEDORA-2008-2678
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-2767


Note You need to log in before you can comment on or make changes to this bug.