Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 80602 - www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scripting Attacks
Summary: www-misc/htdig: Unspecified Input Validation Hole Permits Cross-Site Scriptin...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High minor (vote)
Assignee: Gentoo Security
URL: http://securitytracker.com/alerts/200...
Whiteboard: B4 [glsa]
Keywords:
: 79691 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-02-03 09:44 UTC by Jean-François Brunette (RETIRED)
Modified: 2005-02-13 12:58 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
htdig-3.2.0b6-unescaped_output.patch (htdig-3.2.0b6-unescaped_output.patch,837 bytes, patch)
2005-02-04 00:52 UTC, Thierry Carrez (RETIRED) 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jean-François Brunette (RETIRED) gentoo-dev 2005-02-03 09:44:01 UTC 
Description:  An input validation vulnerability was reported in ht://dig. A remote user can conduct cross-site scripting attacks.

SuSE reported that a cross-site scripting vulnerability was discovered by Michael Krax. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ht://dig software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:  A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ht://dig software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:52:10 UTC 
Created attachment 50309 [details, diff]
htdig-3.2.0b6-unescaped_output.patch

Patch from RedHat
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:53:17 UTC 
web-apps: please apply and bump
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-02-04 00:53:37 UTC 
*** Bug 79691 has been marked as a duplicate of this bug. ***
Comment 4 Aaron Walker (RETIRED) gentoo-dev 2005-02-10 08:36:19 UTC 
I've backported the patch to 3.1.6; qtest.cc doesn't exist in this release, so I've only patched htsearch.cc.

3.1.6-r7 is stable on x86.  amd64, ppc, and sparc, please mark stable.
Comment 5 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-10 09:14:42 UTC 
stable on amd64
Comment 6 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-10 12:28:00 UTC 
Stable on ppc.
Comment 7 Karl Hakimian 2005-02-11 09:52:31 UTC 
htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?
Comment 8 Aaron Walker (RETIRED) gentoo-dev 2005-02-11 10:04:02 UTC 
> htdig-3.1.6-r4.ebuild has SLOT="0" and htdig-3.1.6-r7.ebuild does not. This is causing both version to want to be installed simultaneously. Shouldn't the new ebuild set the slot as well?

Karl, no and actually it's not even possible to set SLOT in ebuilds that inherit webapp.eclass.  SLOT is handled by webapps.eclass which r4 doesn't use (it uses the older deprecated webapp-apache).
Comment 9 Jason Wever (RETIRED) gentoo-dev 2005-02-12 17:59:53 UTC 
Stable on SPARC.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-13 05:21:19 UTC 
Security please vote on GLSA.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-02-13 05:51:57 UTC 
I vote for a GLSA on this one.
Comment 12 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-13 09:16:47 UTC 
dito
Comment 13 Luke Macken (RETIRED) gentoo-dev 2005-02-13 12:58:03 UTC 
GLSA 200502-16