Bug#389361: marked as done (XSS vulnerability in elog)

Wed, 27 Sep 2006 16:35:06 -0700 

Your message dated Wed, 27 Sep 2006 16:02:22 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#389361: fixed in elog 2.6.2+r1719-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: elog
Version: 2.6.1+r1642-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

when editing a log entry in HTML mode, elog accepts arbitrary JavaScript
code. This code will be executed in the browser of other users viewing the
entry (provided they have JavaScript enabled), thus exposing the users
to a XSS (cross site scripting) attack.

To reproduce the problem, add or edit a log entry, switch to HTML mode
and enter the following code snippet:

--------------------------------8<------------------------------
<script type='text/javascript'>
<!--
  alert("There seems to be the possibility of an XSS attack...");
//-->
</script>
--------------------------------8<------------------------------

When viewing the entry, a JavaScript Popup should appear.

To remedy the problem, all <script> tags should be filtered out (or
better yet, only "safe" HTML code should be allowed). At the very least,
it should be possible to disable HTML entries (and this should be the
default, with a big warning if someone wants to change it).

Cheers, Til


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-amd64-k8-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages elog depends on:
ii  adduser                      3.97        Add and remove users and groups
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries

elog recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: elog
Source-Version: 2.6.2+r1719-1

We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive:

elog_2.6.2+r1719-1.diff.gz
  to pool/main/e/elog/elog_2.6.2+r1719-1.diff.gz
elog_2.6.2+r1719-1.dsc
  to pool/main/e/elog/elog_2.6.2+r1719-1.dsc
elog_2.6.2+r1719-1_i386.deb
  to pool/main/e/elog/elog_2.6.2+r1719-1_i386.deb
elog_2.6.2+r1719.orig.tar.gz
  to pool/main/e/elog/elog_2.6.2+r1719.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Recai Oktaş <[EMAIL PROTECTED]> (supplier of updated elog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 28 Sep 2006 01:36:38 +0300
Source: elog
Binary: elog
Architecture: source i386
Version: 2.6.2+r1719-1
Distribution: unstable
Urgency: critical
Maintainer: Recai Oktaş <[EMAIL PROTECTED]>
Changed-By: Recai Oktaş <[EMAIL PROTECTED]>
Description: 
 elog       - Logbook system to manage notes through a Web interface
Closes: 389361
Changes: 
 elog (2.6.2+r1719-1) unstable; urgency=critical
 .
   * Urgency set to critical because of the security issues.
   * New upstream release grabbed from Subversion (r1719).
     + Fix an XSS vulnerability, which occurs when editing a log entry
       in HTML mode.  (Closes: #389361)
Files: 
 9b57b5e7ec8d77485ed8c66646d1a80b 571 web optional elog_2.6.2+r1719-1.dsc
 b317563258ee8b0b3e2375a5f5e33315 663231 web optional 
elog_2.6.2+r1719.orig.tar.gz
 dd4004ac4d48871aa6bc4e5a18a0fe9f 12347 web optional elog_2.6.2+r1719-1.diff.gz
 8abf9e948743707e400409fdfe63ac55 653274 web optional 
elog_2.6.2+r1719-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFGv6VnA44mz/SXIQRAhOvAJ49kkB3+thIEGLEYwYcSfzM4rSpJgCfRnDS
cg6CD85jsNiB1s2IrqU0QlQ=
=x00F
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to