Cross-site scripting in Samizdat 0.6.1
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Cross-site scripting in Samizdat 0.6.1
- From: Dmitry Borodaenko <angdraug@xxxxxxxxx>
- Date: Fri, 13 Feb 2009 14:43:46 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=Bmt9vKzHZcm5FqySIqJF1vzwYt0bofCFZNb2zvu/3LM=; b=gVpk3udTdOmhGo7HmF72EzK9Laab2oq2ZzS3sv58a7eB4Mf3KeiYxfcMhNftlbD1tj w3t0biE+/adAwj25KadaC/dg+QA11BOOKLuBCC4BU3GFvVid2nR4KMIKJVERVzhHmqG0 rdooUqPsrSbvi9i6wQ1eU2OPetIkomkmVzBPU=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=J86UI3fjxGtSd/cliyjhV+O++NWLsmH2X/OgQJOQiMQKI2IJ8toj66K3iF2kslusTd BwbmVHJXOpxH5Px3ZcI56zM4ZvbUHx9EAJrGbaddxLI/lX610EdvzwpVkczFGYAXX7lX qG+1B+pQmWXu8u4eJ1Ztr14+vgpdX9Y87X6u4=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Software: Samizdat, an open publishing web application written in Ruby
Vulnerability: cross-site scripting
Vulnerable Versions: 0.6.1 and earlier
Non-vulnerable Versions: 0.6.2, Debian package 0.6.1-3lenny1
Patch:
http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch
References: CVS-2009-0359, DTSA-194-1
Description:
Samizdat 0.6.1 contains several code paths that fail to escape special HTML
characters in message title and user full name before these strings are included
in a Web page (in earlier versions, only user full name is exploitable). This
allows an attacker to perform a cross-site scripting attack by including a
specially crafted string in their full name or message title.
Test:
Login. Set your full name to a string including a special HTML character (any of
&"'<>). Publish a message with a title that includes a special character. Find
your message in the list of recent updates on the site front page, check the
HTML source to see whether the special characters were escaped as HTML entities.
Fix:
Samizdat 0.6.2 includes a fix for this vulnerability. Alternatively, a patch for
Samizdat 0.6.1 that closes this vulnerability is referenced above; it is also
recommended to apply a second patch that improves stability of the Samizdat
Sanitize module (a white-list HTML filter used to remove dangerous tags,
attributes, and CSS properties from user-submitted HTML):
http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-tidy-binary.patch
Both patches are included in the Debian package version 0.6.1-3lenny1.
--
Dmitry Borodaenko