Bug#377299: sitebar: CVE-2006-3320: cross-site scripting

2006-07-28 Thread Thijs Kinkhorst 
tags 377299 +patch
thanks

Hello,

 CVE-2006-3320: Cross-site scripting (XSS) vulnerability in command.php
 in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
 web script or HTML via the command parameter.

I've already fixed this by NMU in unstable. I've also prepared an
updated package for stable - question is if the security team wants to
release an advisory for this and if this package is ok. See attachment.

Let me know, if it's ok I'll upload it to stable-security.


Attached are the diffs for the sid NMU and the proposed sarge NMU.


Thanks.
Thijs
diff -u sitebar-3.2.6/debian/changelog sitebar-3.2.6/debian/changelog
--- sitebar-3.2.6/debian/changelog
+++ sitebar-3.2.6/debian/changelog
@@ -1,3 +1,11 @@
+sitebar (3.2.6-7.1) unstable; urgency=low
+
+  * Non-maintainer upload for security bug fix.
+  * Properly encode the 'command' parameter of command.php
+(CVE-2006-3320, Closes: #377299).
+
+ -- Thijs Kinkhorst [EMAIL PROTECTED]  Fri, 28 Jul 2006 14:42:47 +0200
+
 sitebar (3.2.6-7) unstable; urgency=low
 
   * Updated maintainer field to reference my shiny new debian.org address
only in patch2:
unchanged:
--- sitebar-3.2.6.orig/command.php
+++ sitebar-3.2.6/command.php
@@ -3814,7 +3814,7 @@
 
 ?
 
-div id=?php echo ($cw-hasErrors()?$errId:'command').'Head'??php echo T($cw-command)?/div
+div id=?php echo ($cw-hasErrors()?$errId:'command').'Head'??php echo htmlspecialchars(T($cw-command))?/div
 div id=?php echo ($cw-hasErrors()?$errId:'command').'Body'?
 ?php
 if ($cw-hasErrors())
diff -u sitebar-3.3.8/debian/changelog sitebar-3.3.8/debian/changelog
--- sitebar-3.3.8/debian/changelog
+++ sitebar-3.3.8/debian/changelog
@@ -1,3 +1,11 @@
+sitebar (3.3.8-1.1) unstable; urgency=high
+
+  * High urgency upload for RC security bug fix.
+  * Properly encode the 'command' parameter of command.php
+(CVE-2006-3320, Closes: #377299).
+
+ -- Thijs Kinkhorst [EMAIL PROTECTED]  Fri, 28 Jul 2006 14:29:31 +0200
+
 sitebar (3.3.8-1) unstable; urgency=low
 
   * New upstream release and new maintainer (Closes: #358893)
only in patch2:
unchanged:
--- sitebar-3.3.8.orig/command.php
+++ sitebar-3.3.8/command.php
@@ -5809,7 +5809,7 @@
 ?
 div id=?php echo ($cw-hasErrors()?$errId:'command').'Head'? class=cmnTitle
 div id=help onclick=SB_openHelp('?php echo $onlineHelp ?')?/div
-div id=command?php echo SB_T($cw-command)?/div
+div id=command?php echo htmlspecialchars(SB_T($cw-command))?/div
 /div
 div id=?php echo ($cw-hasErrors()?$errId:'command').'Body'?
 ?php


signature.asc
Description: This is a digitally signed message part

Bug#377299: sitebar: CVE-2006-3320: cross-site scripting

2006-07-28 Thread Martin Schulze 
Thijs Kinkhorst wrote:
 
  CVE-2006-3320: Cross-site scripting (XSS) vulnerability in command.php
  in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
  web script or HTML via the command parameter.
 
 I've already fixed this by NMU in unstable. I've also prepared an
 updated package for stable - question is if the security team wants to
 release an advisory for this and if this package is ok. See attachment.
 
 Let me know, if it's ok I'll upload it to stable-security.

Please adjust the distribution to stable-security and the urgency to high,
then proceed.

Regards,

Joey

-- 
Let's call it an accidental feature.  -- Larry Wall

Please always Cc to me when replying to me on the lists.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#377299: sitebar: CVE-2006-3320: cross-site scripting

2006-07-07 Thread Alec Berryman 
Package: sitebar
Version: 3.3.8-1 3.2.6-7
Severity: serious
Tags: security

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

CVE-2006-3320: Cross-site scripting (XSS) vulnerability in command.php
in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
web script or HTML via the command parameter.

According to the SiteBar svn history page [1], this has not been fixed
upstream.  The original report [2] contains a simple proof-of-concept.
I have not tested it.

The CVE indicates that the version in Sarge is also vulnerable.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://teamforge.net/viewcvs/viewcvs.cgi/trunk/doc/history.txt?view=markup
[2] http://www.site.com/sitebar/command.php?command=[CODES]

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErx2dAud/2YgchcQRAhC0AJwP1iEPWCGSnv+4rViEmVMWLJeXIACgl76m
hZT2luFqY9Er9egsx7tx6k4=
=djii
-END PGP SIGNATURE-


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]