tags 281655 patch
thanks
I've included a 2-line patch which implements some output
sanitization. I can't find any other instance where this is a
problem, but don't take my word for it; I haven't followed the code
*that* closely.
Since info filenames/titles can be named anything (which is a Good
Thing), the way to handle this is to escape '<' (and '>' while we're
at it). This prevents anyone from sticking any html anywhere.
I would also like to see this code use perl -T (for testing, as well
as for installation, I think). I will probably play with this later
tonight.
I've never used perl -T before and it may very well break this program
horribly.
Justin
On Sun, Jan 23, 2005 at 11:56:50AM -0500, pryzbyj wrote:
> On Sun, Jan 23, 2005 at 05:12:15PM +0100, Uwe Hermann wrote:
> > Hi,
> >
> > sorry, the mail about this bug somehow got lost in my inbox...
> >
> > (CC to debian-devel, any help with this issue is welcome)
> >
> >
> > On Wed, Nov 17, 2004 at 03:45:55AM +0100, Nicolas Gregoire wrote:
> > > Package: info2www
> > > Version: 1.2.2.9-22
> > > Severity: normal
> > > Tags: security
> > >
> > > There's a XSS vulnerabilty in the info2www CGI.
> > >
> > > The following URL will display the document location using Javascript :
> > > /cgi-bin/info2www?(coreutils)<script>alert(document.location)<script>
> >
> > Hm, seems like I can't reproduce this. If I enter the above URL in a
> > browser (I tried Galeon and Firefox) I get:
> If I change it to /script then I can reproduce the alleged problem. I
> guess I don't understand XSS vulnerabilities... The whole point is
> that mallicious Mallory can post a link to nonmallicious site
> nice.com/cgi-bin/info2www<script>alert("Boo!")</script>? That still
> seems like a nonissue, because Mallory could just as easily have put
> an alert() on his own page (okay, maybe if mallory's page is in a
> "mallicious" list, and nice.com is in a "trusted" list it makes
> sense).
>
> > > Every user-supplied parameter should be sanitized before use.
> >
> > ACK, I'll try to check the code, but it won't be easy I guess. The code
> > is from 1996, unmaintained and quite surely contains lots more security
> > issues.
> This shouldn't be difficult, really. The only user input comes from
> the URL, and it should probably be restricted to certain character
> ranges [a-z0-9-] or something.
--- info2www 2005-01-23 17:38:28.000000000 -0500
+++ /tmp/info2www.patch 2005-01-23 17:39:52.000000000 -0500
@@ -1138,8 +1138,6 @@
# Print an HTML error message
sub Error {
local($reason) = @_;
- $reason=~s/</</gs;
- $reason=~s/>/>/gs;
print "<STRONG>Sorry! - $reason</STRONG>\n<P>\n";
return(0);
}
