On Sun, Jan 23, 2005 at 05:12:15PM +0100, Uwe Hermann wrote: > Hi, > > sorry, the mail about this bug somehow got lost in my inbox... > > (CC to debian-devel, any help with this issue is welcome) > > > On Wed, Nov 17, 2004 at 03:45:55AM +0100, Nicolas Gregoire wrote: > > Package: info2www > > Version: 1.2.2.9-22 > > Severity: normal > > Tags: security > > > > There's a XSS vulnerabilty in the info2www CGI. > > > > The following URL will display the document location using Javascript : > > /cgi-bin/info2www?(coreutils)<script>alert(document.location)<script> ^^^^^^^^ I anticipate that its supposed to be </script>
I'm not sure I understand the problem, though; what's wrong with displaying the document location (though its a bug and should be fixed, I don't see why its a security issue. Isn't the document location the thing that's already going to be in the address bar?) > > Every user-supplied parameter should be sanitized before use. > > ACK, I'll try to check the code, but it won't be easy I guess. The code > is from 1996, unmaintained and quite surely contains lots more security > issues. > > Any help and/or patches are really welcome! I can try to help, but I guess I have to undertand the problem first:) Justin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]