Your message dated Sun, 17 Sep 2006 15:08:08 -0400
with message-id <[EMAIL PROTECTED]>
and subject line sitebar: CVE-2006-3320: cross-site scripting
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Package: sitebar
Version: 3.3.8-1 3.2.6-7
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php
in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
web script or HTML via the command parameter."

According to the SiteBar svn history page [1], this has not been fixed
upstream.  The original report [2] contains a simple proof-of-concept.
I have not tested it.

The CVE indicates that the version in Sarge is also vulnerable.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://teamforge.net/viewcvs/viewcvs.cgi/trunk/doc/history.txt?view=markup
[2] http://www.site.com/sitebar/command.php?command=[CODES]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErx2dAud/2YgchcQRAhC0AJwP1iEPWCGSnv+4rViEmVMWLJeXIACgl76m
hZT2luFqY9Er9egsx7tx6k4=
=djii
-----END PGP SIGNATURE-----


--- End Message ---
--- Begin Message ---
Package: sitebar
Version: 3.3.8-1 3.2.6-7
Severity: serious

Fixed thanks to changes made to command.php by Thijs Kinkhorst.

Additionally fixed with separate changes to command.php with patch
received from upstream.

-- 
Kevin Coyner  GnuPG key: 1024D/8CE11941

--- End Message ---

Reply via email to