Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2007-0901,0902: XSS in debugging information

Related Vulnerabilities: CVE-2007-0901   CVE-2007-0857   CVE-2007-0902  

Source

Debian Bug report logs - #411084
CVE-2007-0901,0902: XSS in debugging information

version graph

Package: moin; Maintainer for moin is Steve McIntyre <93sam@debian.org>;

Reported by: Kees Cook <kees@outflux.net>

Date: Thu, 15 Feb 2007 21:45:02 UTC

Severity: grave

Tags: patch, security

Found in version 1.3.4-3

Fixed in version 1.5.3-1.1

Done: zobel@ftbfs.de (Martin Zobel-Helas)

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Jonas Smedegaard <dr@jones.dk>:
Bug#411084; Package moin. (full text, mbox, link).

Acknowledgement sent to Kees Cook <kees@outflux.net>:
New Bug report received and forwarded. Copy sent to Jonas Smedegaard <dr@jones.dk>. (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kees Cook <kees@outflux.net>
To: Debian Bugs <submit@bugs.debian.org>
Subject: CVE-2007-0901,0902: XSS in debugging information
Date: Thu, 15 Feb 2007 13:41:47 -0800
[Message part 1 (text/plain, inline)]
Package: moin
Version: 1.3.4-3
Severity: grave
Tags: patch, security

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0901 says:

"Multiple cross-site scripting (XSS) vulnerabilities in Info pages in 
MoinMoin 1.5.7 allow remote attackers to inject arbitrary web script or 
HTML via the (1) hitcounts and (2) general parameters, different vectors 
than CVE-2007-0857."

This appears not to be true for the 1.5.x line of Moin, but it is true 
in 1.3.x.  Attached is the patch I'm using in Ubuntu, which also 
includes fixes for CVE-2007-0902, by allowing for "show_traceback" to be 
set to 0 in site configurations.

-- 
Kees Cook                                            @outflux.net

[091_fix-debug-report-xss.patch (text/x-diff, attachment)]

Bug marked as not found in version 1.5.3-1.1. Request was from zobel@ftbfs.de (Martin Zobel-Helas) to control@bugs.debian.org. (full text, mbox, link).

Bug marked as fixed in version 1.5.3-1.1, send any further explanations to Kees Cook <kees@outflux.net> Request was from zobel@ftbfs.de (Martin Zobel-Helas) to control@bugs.debian.org. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 21:39:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 14:43:53 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started