Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Fri, Dec 16, 2011 at 11:58:31AM +, Gerrit Pape wrote: On Tue, Dec 13, 2011 at 06:01:52PM +0100, Moritz Muehlenhoff wrote: On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Hi Moritz, I completely forgot this report, sorry. I'll try to take a look within the next days, due to christmas maybe next weeks. Hi, I contacted upstream but didn't get a response. I'm about to remove the html-output feature from ftpls with an upcoming upload, and think about removing the package from Debian because of dead upstream eventually. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Tue, Dec 13, 2011 at 06:01:52PM +0100, Moritz Muehlenhoff wrote: On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing Package: ftpcopy Version: 0.6.7-2 Severity: important Tags: security The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Hi Moritz, I completely forgot this report, sorry. I'll try to take a look within the next days, due to christmas maybe next weeks. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing Package: ftpcopy Version: 0.6.7-2 Severity: important Tags: security The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing Package: ftpcopy Version: 0.6.7-2 Severity: important Tags: security The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: $ ls -al /srv/ftp total 12 drwxr-xr-x 2 root ftp 4096 Dec 19 02:40 . drwxr-xr-x 3 root root 4096 Dec 19 02:34 .. -rw-r--r-- 1 root root0 Dec 19 02:39 body onLoad=alert('non-customers crew'); -rw-r--r-- 1 root root 39 Dec 19 02:40 number2 $ ftpls -h ftp://localhost/ htmlhead /headbody dl dta href=ftp://localhost/;body onLoad=alert('non-customers crew');body onLoad=alert('non-customers crew');/abr dd last modified 2010-12-19 02:39:00,0B dta href=ftp://localhost/number2;number2/abr dd last modified 2010-12-19 02:40:00, 39B /dl/body/html $ -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages ftpcopy depends on: ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib ftpcopy recommends no packages. ftpcopy suggests no packages. -- no debconf information -- non-customers crew | http://rock-madrid.com/ -- ___ Surf the Web in a faster, safer and easier way: Download Opera 9 at http://www.opera.com -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org