Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 214266 - app-text/namazu <2.0.18 namazu.cgi UTF-7 Cross-Site Scripting (CVE-2008-1468)
Summary: app-text/namazu <2.0.18 namazu.cgi UTF-7 Cross-Site Scripting (CVE-2008-1468)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/29386/
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-22 16:00 UTC by Robert Buchholz (RETIRED)
Modified: 2008-03-29 20:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:00:25 UTC 
Secunia:
A vulnerability has been reported in Namazu, which can be exploited
by malicious people to conduct cross-site scripting attacks.

Input passed in certain character encodings (e.g. UTF-7) to
namazu.cgi is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The vulnerability is reported in versions prior to 2.0.18.

SOLUTION:
Update to version 2.0.18.

PROVIDED AND/OR DISCOVERED BY:
Reported via JVN.

ORIGINAL ADVISORY:
JVN: http://jvn.jp/jp/JVN%2300892830/index.html
Namazu: http://www.namazu.org/security.html.en
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-03-22 16:00:47 UTC 
please bump.
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2008-03-24 17:21:48 UTC 
2.0.18 in cvs.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 17:25:18 UTC 
Arches, please test and mark stable:
=app-text/namazu-2.0.18
Target keywords : "ppc64 release x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-25 20:03:50 UTC 
x86 stable
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2008-03-26 16:49:47 UTC 
ppc64 stable
Comment 6 Peter Volkov (RETIRED) gentoo-dev 2008-03-26 19:27:49 UTC 
Fixed in release snapshot.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-03-29 19:49:41 UTC 
I vote NO.
Comment 8 Tobias Heinlein (RETIRED) gentoo-dev 2008-03-29 19:58:06 UTC 
Voting NO too and closing.