Package: nusoap Version: 0.9.5-1 Owner: [email protected] Tags: security
Bogdan Calin of Acunetix discovered some cross site scripting vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of PHP_SELF. This is an issue because of potentially malicious URLs being constructed along the lines of: http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E In such an event, NuSOAP will print a WSDL output page (service description) containing the maliciously crafted URL. An upstream bug report exists at http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005 and a preliminary patch has been provided by the MantisBT project (which bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
