Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Request: Security issue in backuppc
From: Moritz Mühlenhoff <jmm () inutil org>
Date: Tue, 3 Jan 2012 20:55:19 +0100

On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
Hi Craig,

While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
another XSS vulnerability in View.pm when accessing the following URLs
in backuppc:
index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>

You are being emailed as the upstream contact. Please keep
oss-security () lists openwall com[1] CC'd for any updates on this issue.

To oss-security, can I have a CVE for this? It is essentially the same
vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
3.0.0, 3.1.0, 3.2.0 and 3.2.1.


This hasn't ended up in a CVE assignment.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]