-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This entry is wrong,
>>> Validating... /usr/local/bin/xmllint --valid --noout /usr/home/miwi/dev/ports/security/vuxml/vuln.xml /usr/home/miwi/dev/ports/security/vuxml/vuln.xml:51435: parser error : Premature end of data in tag vuxml line 37 ^ >>> FAILED. *** Error code 1 Please ask for review in next time. - - Martin On Sat, Dec 12, 2009 at 10:58:59AM +0000, Wen Heping wrote: > wen 2009-12-12 10:58:59 UTC > > FreeBSD ports repository > > Modified files: > security/vuxml vuln.xml > Log: > - Document pligg -- Cross-Site Scripting and Cross-Site Request Forgery > > Revision Changes Path > 1.2083 +41 -1 ports/security/vuxml/vuln.xml > http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=1.2082&r2=1.2083 > | --- ports/security/vuxml/vuln.xml 2009/12/11 15:27:17 1.2082 > | +++ ports/security/vuxml/vuln.xml 2009/12/12 10:58:58 1.2083 > | @@ -28,13 +28,53 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O > | OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, > | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > | > | - $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v > 1.2082 2009/12/11 15:27:17 miwi Exp $ > | + $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.xml,v > 1.2083 2009/12/12 10:58:58 wen Exp $ > | > | Note: Please add new entries to the beginning of this file. > | > | --> > | > | <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1";> > | + <vuln vid="bec38383-e6cb-11de-bdd4-000c2930e89b"> > | + <topic>pligg -- Cross-Site Scripting and Cross-Site Request > Forgery</topic> > | + <affects> > | + <package> > | + <name>pligg</name> > | + <range><lt>1.0.3b</lt></range> > | + </package> > | + </affects> > | + <description> > | + <body xmlns="http://www.w3.org/1999/xhtml";> > | + <p>secunia reports:</p> > | + <blockquote cite="http://secunia.com/advisories/37349";> > | + <p>Russ McRee has discovered some vulnerabilities in Pligg, > which can > | + be exploited by malicious people to conduct cross-site > scripting and > | + request forgery attacks.</p> > | + <p>Input passed via the "Referer" HTTP header to various scripts > (e.g. > | + admin/admin_config.php, admin/admin_modules.php, delete.php, > editlink.php, > | + submit.php, submit_groups.php, user_add_remove_links.php, and > | + user_settings.php) is not properly sanitised before being > returned to > | + the user. This can be exploited to execute arbitrary HTML and > script > | + code in a user's browser session in context of an affected > site.</p> > | + <p>The application allows users to perform certain actions via > HTTP > | + requests without performing any validity checks to verify the > requests. > | + This can be exploited to e.g. create an arbitrary user with > administrative > | + privileges if a logged-in administrative user visits a > malicious web > | + site.</p> > | + </blockquote> > | + </body> > | + </description> > | + <references> > | + <url>http://secunia.com/advisories/37349/</url> > | + <url>http://www.pligg.com/blog/775/pligg-cms-1-0-3-release/</url> > | + </references> > | + <dates> > | + <discovery>2009-12-02</discovery> > | + <entry>2009-12-12</entry> > | + </dates> > | + </vuln> > | + > | +<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1";> > | <vuln vid="fcbf56dd-e667-11de-920a-00248c9b4be7"> > | <topic>piwik -- php code execution</topic> > | <affects> > - -- +-----------------------+-------------------------------+ | PGP : 0xB1E6FCE9 | Jabber : miwi(at)BSDCrew.de | | Skype : splash_111 | Mail : miwi(at)FreeBSD.org | +-----------------------+-------------------------------+ | Mess with the Best, Die like the Rest! | +-----------------------+-------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAksjeFIACgkQdLJIhLHm/OmenwCglMgug515F5bSMgia4Z0swuQp Y4IAn3zIIu3xOxFMr/TLAkU5Ul7TqlXp =Pek7 -----END PGP SIGNATURE----- _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "[email protected]"
