Re: CVE request: smokeping XSS

[Vincent Danen <vdanen () redhat com>]

* [2012-02-27 20:26:05 +0100] Florian Weimer wrote:

> * Vincent Danen:
>
> > https://bugzilla.redhat.com/show_bug.cgi?id=783584
>
> Is the patch
>
> https://bugzilla.redhat.com/attachment.cgi?id=556619
>
> really correct?  It does not strip the two magic characters "=
> (" should be enough, = is just defensive), so it's probably still
> possible to inject an onmouseover handler and CSS which enlarges the
> affected HTML element so that the handler is practically guaranteed to
> fire.
>
> I've just looked at the patch, I haven't got a (patched or unpatched)
> smokeping instance to test this.

Sorry, slowly catching up on mails here.

Whether that is right or wrong, I'm not 100% sure; you'd have to ask
upstream.  I just did the diff since I couldn't find a svn/git repo web
interface to generate a patch, so if it's wrong, then upstream has got
it wrong as well.

I see that Fedora has used a patch (not sure if it's the same or not),
so if I get a chance in the next few days I'll try the new version to
try to validate the fix.

--
Vincent Danen / Red Hat Security Response Team