Bug 454621 (CVE-2008-2929) - CVE-2008-2929 Directory Server: multiple XSS issues
Summary: CVE-2008-2929 Directory Server: multiple XSS issues
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-2929
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 245248 454658 454660
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-07-09 12:59 UTC by Tomas Hoger
Modified: 2019-09-29 12:25 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-03-26 14:46:24 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2008:0596 0 normal SHIPPED_LIVE Critical: Red Hat Directory Server 7.1 Service Pack 7 security update 2008-08-27 20:41:43 UTC
Red Hat Product Errata RHSA-2008:0601 0 normal SHIPPED_LIVE Moderate: adminutil security update 2008-08-27 20:35:45 UTC

Description Tomas Hoger 2008-07-09 12:59:15 UTC
It was discovered that multiple CGI scripts used by Red Hat / Fedora Directory
Server did not properly sanitize %-escaped inputs, resulting in a possibility to
conduct cross-site scripting (XSS) attacks.

Issue was caused by a flow in an adminutil library that contain common
functionality used by multiple CGI scripts, such as affected GET / POST argument
parsing.

Issue is know to affect some Administration Express scripts and Directory Server
Gateway (DSGW) scripts.

Affected version:
Red Hat Directory Server 7.1
Red Hat Directory Server 8 (flaw limited to Administration Express issues, as
DSGW component is not shipped)
Fedora Directory Server

Comment 3 Tomas Hoger 2008-08-27 20:17:41 UTC
Lifting embargo.

Comment 4 Fedora Update System 2008-09-10 06:50:01 UTC
adminutil-1.1.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-09-10 07:18:16 UTC
adminutil-1.1.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2013-03-26 14:46:24 UTC
This issue has been addressed in following products:

  Red Hat Directory Server v8 EL4
  Red Hat Directory Server v8 EL5

Via RHSA-2008:0601 http://rhn.redhat.com/errata/RHSA-2008-0601.html

Comment 7 Vincent Danen 2013-03-26 14:47:50 UTC
This issue has been addressed in following products:

  Red Hat Directory Server v7.1

Via RHSA-2008:0596 http://rhn.redhat.com/errata/RHSA-2008-0596.html


Note You need to log in before you can comment on or make changes to this bug.