nongnu samizdat 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1183656 漏洞类型 跨站脚本
发布时间 2009-02-13 更新时间 2009-02-13
CVE编号 CVE-2009-0359 CNNVD-ID CNNVD-200902-370
漏洞平台 N/A CVSS评分 3.5
|漏洞来源
https://www.securityfocus.com/bid/33768
https://cxsecurity.com/issue/WLB-2009020036
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-370
|漏洞详情
Samizda是一个基于通用开放资源框架(RDF)的网站构建引擎。Samizdat0.6.2之前的版本中存在多个跨站脚本攻击漏洞。远程验证用户可以借助(1)信息主题或(2)用户全名,注入任意web脚本或HTML。
|漏洞EXP
Software: Samizdat, an open publishing web application written in Ruby
Vulnerability: cross-site scripting
Vulnerable Versions: 0.6.1 and earlier
Non-vulnerable Versions: 0.6.2, Debian package 0.6.1-3lenny1
Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch
References: CVS-2009-0359, DTSA-194-1

Description:

Samizdat 0.6.1 contains several code paths that fail to escape special HTML
characters in message title and user full name before these strings are included
in a Web page (in earlier versions, only user full name is exploitable). This
allows an attacker to perform a cross-site scripting attack by including a
specially crafted string in their full name or message title.

Test:

Login. Set your full name to a string including a special HTML character (any of
&"'<>). Publish a message with a title that includes a special character. Find
your message in the list of recent updates on the site front page, check the
HTML source to see whether the special characters were escaped as HTML entities.

Fix:

Samizdat 0.6.2 includes a fix for this vulnerability. Alternatively, a patch for
Samizdat 0.6.1 that closes this vulnerability is referenced above; it is also
recommended to apply a second patch that improves stability of the Samizdat
Sanitize module (a white-list HTML filter used to remove dangerous tags,
attributes, and CSS properties from user-submitted HTML):

http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-tidy-binary.patch

Both patches are included in the Debian package version 0.6.1-3lenny1.

Dmitry Borodaenko
|受影响的产品
Samizdat Samizdat 0.6.1
|参考资料

来源:BID
名称:33768
链接:http://www.securityfocus.com/bid/33768
来源:www.nongnu.org
链接:http://www.nongnu.org/samizdat/release-notes/samizdat-0.6.2.html
来源:BUGTRAQ
名称:20090213Cross-sitescriptinginSamizdat0.6.1
链接:http://www.securityfocus.com/archive/1/archive/1/500961/100/0/threaded
来源:MLIST
名称:[debian-testing-security-announce]20090211SecurityupdateforDebianTesting-2009-02-12
链接:http://www.mail-archive.com/debian-testing-security-announce@lists.debian.org/msg00171.html
来源:samizdat.nongnu.org
链接:http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch
来源:OSVDB
名称:52022
链接:http://osvdb.org/52022