Stefan Cornelius of Secunia reported that planet fails to sanitize this input: <description>something something <img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?</description> while <description>something something <![CDATA[<img src="javascript:alert(2);"></img> - <img src="javascript:alert(3);" > should be filtered?]]></description> is properly filtered. At least Opera will execute this code.
I think this is a duplicate. And it is already done. *** This bug has been marked as a duplicate of bug 522802 ***
(In reply to comment #3) > I think this is a duplicate. > > And it is already done. > > *** This bug has been marked as a duplicate of 522802 *** This should be different issue from #CVE-2009-2937, but need more details from the reporter.
Adding the reporter to the CC. Also note that this issue seems to be public: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178
Just to be sure when you say 'fully updated f11' what ver-rel of planet do you mean specifically?
This was tested using planet version 2.0 release 10.fc11 (planet-2.0-10.fc11.noarch).
Additional comments from the reporter: Comment #30 of the Debian bug [1] reveals most of the information, thus Secunia has no objections against making the RH bug public. I'm not sure what the questions in the Debian bug are about, but here is how I understand the situation right now: * Steve Kemp's first patch [2] does not catch all cases. A new patch [3] is available (please note that Fedora seems to ship the old patch). * Secunia reported another problem (the CDATA one mentioned in e.g. comment #30 [1]). There is no patch for this, so that's probably the problem described in comment #45 [4]. [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#30 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#5 [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#10 [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=546178#45
This does not have a CVE yet, but since the information in the Debian report is public, we need to request one from MITRE. I am also making the bug public as per the reporter and the information in the Debian report already being public.
CVE requested: http://www.openwall.com/lists/oss-security/2009/10/08/1