tags 281655 patch thanks I've included a 2-line patch which implements some output sanitization. I can't find any other instance where this is a problem, but don't take my word for it; I haven't followed the code *that* closely.
Since info filenames/titles can be named anything (which is a Good Thing), the way to handle this is to escape '<' (and '>' while we're at it). This prevents anyone from sticking any html anywhere. I would also like to see this code use perl -T (for testing, as well as for installation, I think). I will probably play with this later tonight. I've never used perl -T before and it may very well break this program horribly. Justin On Sun, Jan 23, 2005 at 11:56:50AM -0500, pryzbyj wrote: > On Sun, Jan 23, 2005 at 05:12:15PM +0100, Uwe Hermann wrote: > > Hi, > > > > sorry, the mail about this bug somehow got lost in my inbox... > > > > (CC to debian-devel, any help with this issue is welcome) > > > > > > On Wed, Nov 17, 2004 at 03:45:55AM +0100, Nicolas Gregoire wrote: > > > Package: info2www > > > Version: 1.2.2.9-22 > > > Severity: normal > > > Tags: security > > > > > > There's a XSS vulnerabilty in the info2www CGI. > > > > > > The following URL will display the document location using Javascript : > > > /cgi-bin/info2www?(coreutils)<script>alert(document.location)<script> > > > > Hm, seems like I can't reproduce this. If I enter the above URL in a > > browser (I tried Galeon and Firefox) I get: > If I change it to /script then I can reproduce the alleged problem. I > guess I don't understand XSS vulnerabilities... The whole point is > that mallicious Mallory can post a link to nonmallicious site > nice.com/cgi-bin/info2www<script>alert("Boo!")</script>? That still > seems like a nonissue, because Mallory could just as easily have put > an alert() on his own page (okay, maybe if mallory's page is in a > "mallicious" list, and nice.com is in a "trusted" list it makes > sense). > > > > Every user-supplied parameter should be sanitized before use. > > > > ACK, I'll try to check the code, but it won't be easy I guess. The code > > is from 1996, unmaintained and quite surely contains lots more security > > issues. > This shouldn't be difficult, really. The only user input comes from > the URL, and it should probably be restricted to certain character > ranges [a-z0-9-] or something.
--- info2www 2005-01-23 17:38:28.000000000 -0500 +++ /tmp/info2www.patch 2005-01-23 17:39:52.000000000 -0500 @@ -1138,8 +1138,6 @@ # Print an HTML error message sub Error { local($reason) = @_; - $reason=~s/</</gs; - $reason=~s/>/>/gs; print "<STRONG>Sorry! - $reason</STRONG>\n<P>\n"; return(0); }