Hi.
Thanks for reporting this.
After a quick analysis, I tend to believe that users of the standard PHP
5.3 apache module packages with "suhosin.server.strip On" are safe : the
%3C and likes are converted to question marks ('?').
Still, this deserves some fixing.
Any comments or help welcome.
Best regards,
Le jeudi 02 septembre 2010 à 23:00 +1000, David Hicks a écrit :
> Bogdan Calin of Acunetix discovered some cross site scripting
> vulnerabilities in NuSOAP 0.9.5 relating to lack of escaping of
> PHP_SELF. This is an issue because of potentially malicious URLs being
> constructed along the lines of:
>
> http://site/soapserver.php/1%3CScRiPt%3Eprompt(923395)%3C/ScRiPt%3E
>
> In such an event, NuSOAP will print a WSDL output page (service
> description) containing the maliciously crafted URL.
>
> An upstream bug report exists at
> http://sourceforge.net/projects/nusoap/forums/forum/193579/topic/3834005
> and a preliminary patch has been provided by the MantisBT project (which
> bundles NuSOAP) at: http://www.mantisbt.org/bugs/view.php?id=12312
>
>
>
--
Olivier BERGER <[email protected]>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
