Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79691 - www-misc/htdig CAN-2005-0085 htdig XSS (embargoed)
Summary: www-misc/htdig CAN-2005-0085 htdig XSS (embargoed)
Status: RESOLVED DUPLICATE of bug 80602
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [wait] / 20050210?
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-27 02:49 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2008-04-23 08:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
htdig-3.2.0b6-unescaped_output.patch (htdig-3.2.0b6-unescaped_output.patch,837 bytes, patch)
2005-01-27 02:51 UTC, Sune Kloppenborg Jeppesen (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-27 02:49:52 UTC 
htdig suffers from a cross site scripting flaw as found by Michael Krax. 
Looks like this one is different to the last and isn't based on bad 
templates.  The flaw doesn't seem to affect the htdig on htdig.org 
although there is no patch in CVS, so maybe they applied a quick patch 
themselves.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-01-27 02:51:55 UTC 
Created attachment 49640 [details, diff]
htdig-3.2.0b6-unescaped_output.patch
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-03 11:42:18 UTC 
Apparently parts of it leaked (see bug 80602). Asking for confirmation on v-s that it should be considered public.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:53:36 UTC 

*** This bug has been marked as a duplicate of 80602 ***