date:20160727

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

2016-07-27 Thread sisyphus1

Apologies if this is a duplication of an earlier attempt to forward this 
report to the appropriate list.
(sourceforge does not play nicely with my system - so it's difficult for me 
to be sure.)

Cheers,
Rob

From: Mishra Dhiraj
Sent: Tuesday, July 26, 2016 6:06 AM
To: perlbug-follo...@perl.org
Subject: Re: [perl #128620] http://pdl.perl.org Vulnerable to XSS

Sir , its been more than a weak , can you please contact some one to patch 
that stuff ,
https://sourceforge.net/p/pdl/bugs/426/

Thank you,

On Mon, Jul 18, 2016 at 5:44 AM, Tony Cook via RT 
 wrote:
On Thu Jul 14 12:50:53 2016, mishra.dhira...@gmail.com wrote:
> Hello Sir ,
>
> The Domain " http://pdl.perl.org " can lead to XSS ,
> *http://pdl.perl.org/index.php?docs=Core&title=
> *
> allows attacker to run the malicious script.

This address is for reporting bugs in perl itself.

pdl.perl.org appears to be maintained on sourceforge at

https://sourceforge.net/projects/pdl/

You might try reporting this problem there.

Closing.

Tony




-- 

Regards
Dhiraj Mishra.
GPG ID :  51720F56   |  Finger Print : 1F6A FC7B 05AA CF29 8C1C  ED65 3233 
4D18 5172 0F56


--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
pdl-devel mailing list
pdl-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pdl-devel

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

2016-07-27 Thread sisyphus1

From: Mishra Dhiraj
Sent: Wednesday, July 27, 2016 11:38 PM
To: sisyph...@optusnet.com.au
Cc: pdl-devel
Subject: Re: [perl #128620] http://pdl.perl.org Vulnerable to XSS

> I still don't understand can you please let me know , where should i 
> report the issue,

Reporting it to https://sourceforge.net/p/pdl/bugs/426/ was the correct 
thing to do.

But posting about it on the p5p mailing list was the wrong place.
Instead you should have posted to pdl-devel@lists.sourceforge .
(You can subscribe to that list at 
https://lists.sourceforge.net/lists/listinfo/pdl-devel - however, I  think 
you can post to that list without subscribing.)

> the bug isn't public because it's an security issue.

I think it's visible to anyone who has an account with (and who logs in to) 
sourceforge.

Having submitted your bug report, it's likely that it went unnoticed.
Now that the issue has also been raised on the pdl-devel list (and it has), 
we can be confident that it has been noticed.
Hopefully someone will now act upon it.

Thank you for persevering.

Cheers,
Rob 

--
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports.http://sdm.link/zohodev2dev
___
pdl-devel mailing list
pdl-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pdl-devel

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

2016-07-27 Thread David Mertens

I know nothing about PDL's web pages. The most recent work I know of on
them was back in 2013, when Joel Berger was trying to port things over to
github. At the time, Joel had produced an interesting XSS testing example
using the documentation from a particular Acme module:

http://pdlporters.github.com/?docs=Acme::XSS

To the best of my knowledge, that's not what we use for serving pdl.perl.org
.

That's the extent of my knowledge of the problem, which I guess is to say,
nill. :-/

David

On Wed, Jul 27, 2016 at 10:10 AM,  wrote:

>
> From: Mishra Dhiraj
> Sent: Wednesday, July 27, 2016 11:38 PM
> To: sisyph...@optusnet.com.au
> Cc: pdl-devel
> Subject: Re: [perl #128620] http://pdl.perl.org Vulnerable to XSS
>
> > I still don't understand can you please let me know , where should i
> > report the issue,
>
> Reporting it to https://sourceforge.net/p/pdl/bugs/426/ was the correct
> thing to do.
>
> But posting about it on the p5p mailing list was the wrong place.
> Instead you should have posted to pdl-devel@lists.sourceforge .
> (You can subscribe to that list at
> https://lists.sourceforge.net/lists/listinfo/pdl-devel - however, I  think
> you can post to that list without subscribing.)
>
> > the bug isn't public because it's an security issue.
>
> I think it's visible to anyone who has an account with (and who logs in to)
> sourceforge.
>
> Having submitted your bug report, it's likely that it went unnoticed.
> Now that the issue has also been raised on the pdl-devel list (and it has),
> we can be confident that it has been noticed.
> Hopefully someone will now act upon it.
>
> Thank you for persevering.
>
> Cheers,
> Rob
>
>
>
> --
> What NetFlow Analyzer can do for you? Monitors network bandwidth and
> traffic
> patterns at an interface-level. Reveals which users, apps, and protocols
> are
> consuming the most bandwidth. Provides multi-vendor support for NetFlow,
> J-Flow, sFlow and other flows. Make informed decisions using capacity
> planning
> reports.http://sdm.link/zohodev2dev
> ___
> pdl-devel mailing list
> pdl-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/pdl-devel
>



-- 
 "Debugging is twice as hard as writing the code in the first place.
  Therefore, if you write the code as cleverly as possible, you are,
  by definition, not smart enough to debug it." -- Brian Kernighan
--
___
pdl-devel mailing list
pdl-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pdl-devel

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

2016-07-27 Thread Zakariyya Mughal

On 2016-07-27 at 20:59:14 -0400, David Mertens wrote:
> I know nothing about PDL's web pages. The most recent work I know of on
> them was back in 2013, when Joel Berger was trying to port things over to
> github. At the time, Joel had produced an interesting XSS testing example
> using the documentation from a particular Acme module:
> 
> http://pdlporters.github.com/?docs=Acme::XSS
> 
> To the best of my knowledge, that's not what we use for serving pdl.perl.org
> .
> 
> That's the extent of my knowledge of the problem, which I guess is to say,
> nill. :-/

I would recommend switching to Joel's work since it uses much more
modern Web techniques and makes use of MetaCPAN for rendering. The
current code is rather old and to make it run under a PHP7 install, I
had to make some changes.

In the interim, I have fixed the vulnerability with this merge request
.

Cheers,
- Zaki Mughal

> 
> David

--
___
pdl-devel mailing list
pdl-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/pdl-devel

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

Re: [Pdl-devel] [perl #128620] http://pdl.perl.org Vulnerable to XSS

4 matches

Site Navigation

Mail list logo

Footer information