Bug#295756: marked as done (openwebmail: [CAN-2005-0445] XSS via domainname)

Thu, 05 May 2005 08:40:22 -0700 

Your message dated Thu, 5 May 2005 16:22:20 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Feb 2005 22:33:29 +0000
>From [EMAIL PROTECTED] Thu Feb 17 14:33:28 2005
Return-path: <[EMAIL PROTECTED]>
Received: from krepost.taket.org (localhost) [82.233.235.217] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1D1uDA-00063b-00; Thu, 17 Feb 2005 14:33:28 -0800
Received: from djoume by localhost with local (Exim 4.44)
        id 1D1uD6-0001dI-OS; Thu, 17 Feb 2005 23:33:24 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Djoume SALVETTI <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: openwebmail: [CAN-2005-0445] XSS via domainname
X-Mailer: reportbug 3.7.1
Date: Thu, 17 Feb 2005 23:33:24 +0100
X-Debbugs-Cc: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
        X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: openwebmail
Version: 2.41-10
Severity: normal


Good day,

>From CAN-2005-0445 :

| Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows
| remote attackers to inject arbitrary HTML or web script via the domain
| name parameter (logindomain) in the login page.

This problem is fixed upstream, you can find a patch here :

http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/2.5x.patch

Regards

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.9-rfb-swsusp
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)

Versions of packages openwebmail depends on:
ii  apache [httpd]                1.3.33-4   versatile, high-performance HTTP s
ii  apache-ssl [httpd]            1.3.33-4   versatile, high-performance HTTP s
ii  debconf                       1.4.45     Debian configuration management sy
pn  libauthen-pam-perl                       Not found.
ii  libdbd-mysql-perl             2.9003-3   A Perl5 database interface to the 
pn  libmd5-perl                              Not found.
pn  libnet-ldap-perl                         Not found.
pn  libpg-perl                               Not found.
ii  libtext-iconv-perl            1.2-3      Convert between character sets in 
ii  perl                          5.8.4-6    Larry Wall's Practical Extraction 
ii  perl-suid                     5.8.4-6    Runs setuid Perl scripts
ii  ucf                           1.14       Update Configuration File: preserv
pn  wwwconfig-common                         Not found.

---------------------------------------
Received: (at 295756-done) by bugs.debian.org; 5 May 2005 15:22:30 +0000
>From [EMAIL PROTECTED] Thu May 05 08:22:30 2005
Return-path: <[EMAIL PROTECTED]>
Received: from sorrow.cyrius.com [65.19.161.204] 
        by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
        id 1DTiBJ-0008Si-00; Thu, 05 May 2005 08:22:29 -0700
Received: by sorrow.cyrius.com (Postfix, from userid 10)
        id 5011464D4F; Thu,  5 May 2005 15:22:29 +0000 (UTC)
Received: by derision.cyrius.com (Postfix, from userid 1000)
        id BCE9A780D0; Thu,  5 May 2005 16:22:20 +0100 (BST)
Date: Thu, 5 May 2005 16:22:20 +0100
From: Martin Michlmayr <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED]
Subject: Removed
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
        (1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-1.0 required=4.0 tests=BAYES_00,ONEWORD,
        SORTED_RECIPS autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 11

openwebmail has been removed from Debian because it had no Debian
maintainer and because it has a number of security holes.
-- 
Martin Michlmayr
http://www.cyrius.com/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to