454621 – (CVE-2008-2929) CVE-2008-2929 Directory Server: multiple XSS issues

Bug 454621 (CVE-2008-2929) - CVE-2008-2929 Directory Server: multiple XSS issues

Summary: CVE-2008-2929 Directory Server: multiple XSS issues

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2929
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	245248 454658 454660
Blocks:
TreeView+	depends on / blocked

Reported:	2008-07-09 12:59 UTC by Tomas Hoger
Modified:	2019-09-29 12:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-03-26 14:46:24 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0596	0	normal	SHIPPED_LIVE	Critical: Red Hat Directory Server 7.1 Service Pack 7 security update	2008-08-27 20:41:43 UTC
Red Hat Product Errata	RHSA-2008:0601	0	normal	SHIPPED_LIVE	Moderate: adminutil security update	2008-08-27 20:35:45 UTC

Description Tomas Hoger 2008-07-09 12:59:15 UTC

It was discovered that multiple CGI scripts used by Red Hat / Fedora Directory
Server did not properly sanitize %-escaped inputs, resulting in a possibility to
conduct cross-site scripting (XSS) attacks.

Issue was caused by a flow in an adminutil library that contain common
functionality used by multiple CGI scripts, such as affected GET / POST argument
parsing.

Issue is know to affect some Administration Express scripts and Directory Server
Gateway (DSGW) scripts.

Affected version:
Red Hat Directory Server 7.1
Red Hat Directory Server 8 (flaw limited to Administration Express issues, as
DSGW component is not shipped)
Fedora Directory Server

Comment 3 Tomas Hoger 2008-08-27 20:17:41 UTC

Lifting embargo.

Comment 4 Fedora Update System 2008-09-10 06:50:01 UTC

adminutil-1.1.7-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2008-09-10 07:18:16 UTC

adminutil-1.1.7-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 6 Vincent Danen 2013-03-26 14:46:24 UTC

This issue has been addressed in following products:

  Red Hat Directory Server v8 EL4
  Red Hat Directory Server v8 EL5

Via RHSA-2008:0601 http://rhn.redhat.com/errata/RHSA-2008-0601.html

Comment 7 Vincent Danen 2013-03-26 14:47:50 UTC

This issue has been addressed in following products:

  Red Hat Directory Server v7.1

Via RHSA-2008:0596 http://rhn.redhat.com/errata/RHSA-2008-0596.html

Note You need to log in before you can comment on or make changes to this bug.