Bug 79691

Summary:

www-misc/htdig CAN-2005-0085 htdig XSS (embargoed)

Product:

Gentoo Security

Reporter:

Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED DUPLICATE

Severity:

minor

Priority:

High

Version:

unspecified

Hardware:

All

OS:

All

Whiteboard:

B4 [wait] / 20050210?

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
htdig-3.2.0b6-unescaped_output.patch	none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-27 02:49:52 UTC

htdig suffers from a cross site scripting flaw as found by Michael Krax. 
Looks like this one is different to the last and isn't based on bad 
templates.  The flaw doesn't seem to affect the htdig on htdig.org 
although there is no patch in CVS, so maybe they applied a quick patch 
themselves.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-01-27 02:51:55 UTC

Created attachment 49640 [details, diff]
htdig-3.2.0b6-unescaped_output.patch

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-02-03 11:42:18 UTC

Apparently parts of it leaked (see bug 80602). Asking for confirmation on v-s that it should be considered public.

Comment 3 Thierry Carrez (RETIRED) gentoo-dev

2005-02-04 00:53:36 UTC


*** This bug has been marked as a duplicate of 80602 ***