Debian Bug report logs -
#352078
XSS in SPIP spip_login.php3 and spip_pass.php3
Reported by: Micah Anderson <micah@debian.org>
Date: Thu, 9 Feb 2006 16:18:44 UTC
Severity: normal
Done: Martin Michlmayr <tbm@cyrius.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>:
Bug#352078; Package spip.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
New Bug report received and forwarded. Copy sent to Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: spip
Severity: normal
XSS in SPIP spip_login.php3 and spip_pass.php3:
http://pridels.blogspot.com/2005/12/spip-xss-vuln.html
SPIP contains a flaw that allows a remote cross site scripting attack.
This flaw exists because input passed to paremters in "spip_login.php3"
"spip_pass.php3" fields isn't properly sanitised before being returned
to the user.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Information forwarded to debian-bugs-dist@lists.debian.org, Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>:
Bug#352078; Package spip.
(full text, mbox, link).
Acknowledgement sent to Micah Anderson <micah@debian.org>:
Extra info received and forwarded to list. Copy sent to Gaetan RYCKEBOER <gryckeboer@virtual-net.fr>.
(full text, mbox, link).
Message #10 received at 352078@bugs.debian.org (full text, mbox, reply):
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This has CVE id: CVE-2005-4494
Please reference this in any changelogs that fix this issue.
Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFD64SF9n4qXRzy1ioRAuTJAJ9sbrParlc22RdccNLkvv2XHh7QGgCfQSuF
5nfyiWNHw+hGjYnAtNxtxac=
=488q
-----END PGP SIGNATURE-----
Reply sent to Martin Michlmayr <tbm@cyrius.com>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Micah Anderson <micah@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 352078-done@bugs.debian.org (full text, mbox, reply):
spip has been removed because it's buggy, has never been part of a
stable release and security issues, see #384385
--
Martin Michlmayr
http://www.cyrius.com/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 18 Jun 2007 20:12:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:03:47 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon