Your message dated Tue, 15 Mar 2005 11:19:30 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Bugs closed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 2 Jan 2005 17:37:45 +0000
>From [EMAIL PROTECTED] Sun Jan 02 09:37:37 2005
Return-path: <[EMAIL PROTECTED]>
Received: from luonnotar.infodrom.org [195.124.48.78]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1Cl9fd-0006G7-00; Sun, 02 Jan 2005 09:37:37 -0800
Received: by luonnotar.infodrom.org (Postfix, from userid 10)
id F0A23366B89; Sun, 2 Jan 2005 18:37:38 +0100 (CET)
Received: at Infodrom Oldenburg (/\##/\ Smail-3.2.0.102 1998-Aug-2 #2)
from infodrom.org by finlandia.Infodrom.North.DE
via smail from stdin
id <[EMAIL PROTECTED]>
for [EMAIL PROTECTED]; Sun, 2 Jan 2005 18:30:38 +0100 (CET)
Date: Sun, 2 Jan 2005 18:30:38 +0100
From: Martin Schulze <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: CAN-2004-1059: Cross site scripting vulnerability
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="4ybNbZnZ8tziJ7D6"
Content-Disposition: inline
User-Agent: Mutt/1.5.6+20040907i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
--4ybNbZnZ8tziJ7D6
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Package: mnogosearch
Version: 3.2.18-2.1
Severity: grave
Tags: security sid sarge patch
Michael Krax discovered XSS problems in several programs, mnogosearch is
among them. For details please see:
http://lists.netsys.com/pipermail/full-disclosure/2004-December/030222.html
The attached patch should fix this problem, as does a newer version such
as 3.2.29. Woody escapes <">& properly, and hence is not vulnerable.
Regards,
Joey
--
There are lies, statistics and benchmarks.
Please always Cc to me when replying to me on the lists.
--4ybNbZnZ8tziJ7D6
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment;
filename="patch.CAN-2004-1059.mnogosearch.3.2.18"
diff -u -p -Nur mnogosearch-3.2.18/src/search.c
mnogosearch-3.2.18.new/src/search.c
--- mnogosearch-3.2.18/src/search.c Mon May 31 01:56:57 2004
+++ mnogosearch-3.2.18.new/src/search.c Sun Jan 2 10:45:23 2005
@@ -62,6 +62,131 @@ static void ParseQStringUnescaped(UDM_VA
}
}
+/* Copied from version 3.2.29:src/url.c */
+
+static const char *hexd= "0123456789ABCDEF";
+
+
+static int ch2x(int ch)
+{
+ if (ch >= '0' && ch <= '9')
+ return ch - '0';
+
+ if (ch >= 'a' && ch <= 'f')
+ return 10 + ch - 'a';
+
+ if (ch >= 'A' && ch <= 'F')
+ return 10 + ch - 'A';
+
+ return -1;
+}
+
+
+/*
+ 0 == safe and reserved characters
+ 1 == control characters
+ 2 == unsafe characters: space " ; < > ? [ \ ] ^
+ 3 == non-graph ascii characters
+
+ TODO:
+
+ &.txt -> &.txt (only in file name)
+ :.txt -> ./:.txt (only in file name)
+ #.txt -> %22.txt (only in file name)
+ ?.txt -> %3f.txt (only in file name)
+*/
+
+static char path_enc_type[256]=
+{
+/*00*/ 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+/*10*/ 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
+/*20*/ 2,0,2,2,0,2,4,0,0,0,0,0,0,0,0,0, /* !"#$%&'()*+,-./ */
+/*30*/ 0,0,0,0,0,0,0,0,0,0,0,2,2,0,2,2, /* 0123456789:;<=>? */
+/*40*/ 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* @ABCDEFGHIJKLMNO */
+/*50*/ 0,0,0,0,0,0,0,0,0,0,0,2,2,2,2,0, /* PQRSTUVWXYZ[\]^_ */
+/*60*/ 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* `abcdefghijklmno */
+/*70*/ 0,0,0,0,0,0,0,0,0,0,0,2,2,2,0,1, /* pqrstuvwxyz{|}~ */
+/*80*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*90*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*A0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*B0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*C0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*D0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*E0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,
+/*F0*/ 3,3,3,3,3,3,3,3,3,3,3,3,3,3,3,3
+};
+
+
+/*
+ Convert escaped characters to upper case: 0xea -> 0xEA
+ Unescape safe characters
+ Escape unsafe characters
+ dst should be 3+strlen(src)+1 bytes long
+*/
+size_t UdmURLCanonizePath(char *dst, size_t dstsize, const char *src)
+{
+ char *d0= dst;
+ char *de= dst + dstsize;
+ int query = 0;
+
+ for ( ; src[0] && dst < de ; src++)
+ {
+ int code;
+
+ if (src[0] == '%' && ch2x(src[1]) >= 0 && ch2x(src[2]) >= 0)
+ {
+ code= ch2x(src[1])*16 + ch2x(src[2]);
+ if (path_enc_type[code])
+ {
+ if (dst+3 < de)
+ {
+ *dst++= '%';
+ *dst++= hexd[ch2x(src[1])];
+ *dst++= hexd[ch2x(src[2])];
+ src+=2;
+ continue;
+ }
+ else
+ break;
+ }
+ else
+ {
+ /* Remove escaping from a safe character */
+ *dst++= code;
+ src+=2;
+ continue;
+ }
+ }
+
+ if (src[0] == '?' && ! query)
+ {
+ query = 1;
+ *dst++= src[0];
+ continue;
+ }
+
+ code= (int)(unsigned char)src[0];
+ if (path_enc_type[code] && ! (path_enc_type[code] == 4 && query))
+ {
+ if (dst+3 < de)
+ {
+ *dst++= '%';
+ *dst++= hexd[code >> 4];
+ *dst++= hexd[code & 0x0F];
+ continue;
+ }
+ else
+ break;
+ }
+ *dst++= src[0];
+ }
+ if (dst < de)
+ dst[0]= '\0';
+ return dst-d0;
+}
+
+/* End of copied section */
+
static char * BuildPageURL(UDM_VARLIST * vars, char **dst) {
size_t i, nargs = 0, dstlen = 0;
char * end;
@@ -69,7 +194,7 @@ static char * BuildPageURL(UDM_VARLIST *
for(i = 0; i < vars->nvars; i++) {
dstlen += 7 + strlen(vars->Var[i].name) + strlen(vars->Var[i].val);
}
- *dst = (char*)UdmRealloc(*dst, dstlen);
+ *dst = (char*)UdmRealloc(*dst, dstlen*3);
if (*dst == NULL) return NULL;
end = *dst;
@@ -80,7 +205,7 @@ static char * BuildPageURL(UDM_VARLIST *
end=end+strlen(end);
strcpy(end,"=");end++;
- strcpy(end,vars->Var[i].val);
+ UdmCanonizePath(end,
(strlen(vars->Var[i].val)*3)+1,vars->Var[i].val);
end=end+strlen(end);
nargs++;
--4ybNbZnZ8tziJ7D6--
---------------------------------------
Received: (at 288246-done) by bugs.debian.org; 15 Mar 2005 10:19:34 +0000
>From [EMAIL PROTECTED] Tue Mar 15 02:19:33 2005
Return-path: <[EMAIL PROTECTED]>
Received: from postman.abacus.ch [193.246.101.142]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DB995-0001nN-00; Tue, 15 Mar 2005 02:19:28 -0800
Received: from postman.abacus.ch by postman.abacus.ch
via smtpd (for spohr.debian.org [128.193.0.4]) with ESMTP; Tue, 15
Mar 2005 11:19:27 +0100
Received: from localhost (localhost [127.0.0.1])
by postman.abacus.ch (Postfix) with ESMTP id 7796112F8D3;
Tue, 15 Mar 2005 11:19:25 +0100 (CET)
Received: from postman.abacus.ch ([127.0.0.1])
by localhost (postman [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id 22469-03; Tue, 15 Mar 2005 11:19:22 +0100 (CET)
Received: from [172.16.34.83] (unknown [172.16.34.83])
by postman.abacus.ch (Postfix) with ESMTP id 35E7F12F8D1;
Tue, 15 Mar 2005 11:19:22 +0100 (CET)
From: Philipp Hug <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Bugs closed
Date: Tue, 15 Mar 2005 11:19:30 +0100
User-Agent: KMail/1.7.1
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <[EMAIL PROTECTED]>
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at abacus.ch
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
X-CrossAssassin-Score: 3
Bugs closed by new upload 3.2.31-1...
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
