Package: websieve Version: 0.62-1 Severity: grave Tags: security There is a XSS hole in the websieve user interface. For example, you may add a rule like,
'from' contains: <a href='debian.org'>Click me and the HTML contains <b>From</b>' contains '<b><a href='debian.org'>Click me</a></b>' Also, there seems to be unescaped stuff in the script making things much, much worse. Using double quotes will break things. Setting up a rule such that, 'from' contains: </b>"blah" yields, Updatesieve Error: Cant' update script... Returned Error: Putting script: script errors: line 73: syntax error, unexpected $undefined, expecting ')' You can click on your browser's Back button to go back and try your entry again. Looking at the source code, there seems to be A LOT of unescaped stuff. This problem is very annoying to me, but for others running websieve on an ISP level, this is a grave security problem. - Adam -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2-k7 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages websieve depends on: ii libcyrus-imap-perl21 2.1.18-1 Interface to Cyrus imap client imc ii perl 5.8.4-8 Larry Wall's Practical Extraction -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
