oss-sec mailing list archives
Re: Re: CVE request: LetoDMS, more issues
From: Raphael Geissert <geissert () debian org>
Date: Wed, 31 Oct 2012 17:30:28 -0600
On Wednesday 31 October 2012 09:31:13 Kurt Seifried wrote:
On 10/30/2012 01:28 PM, Raphael Geissert wrote:On Friday 05 October 2012 23:11:36 Raphael Geissert wrote:Regression in the above patch (fixed after the release of 3.3.9): http://mydms.svn.sourceforge.net/viewvc/mydms/branches/letoDMS-3.3.x/o ut/out.UsrMgr.php?r1=982&r2=981&pathrev=982Does this regression cause a security issue (e.g. did accidentally putting htmlspecialchars() in actually cause a new XSS?).
I don't think so. The commit log says[1]: "no need to escape with htmlspecialchars() because UI::contentSubHeading() does it too." [1]http://mydms.svn.sourceforge.net/viewvc/mydms?view=revision&revision=982 Thanks, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: LetoDMS, more issues Raphael Geissert (Oct 05)
- Re: CVE request: LetoDMS, more issues Raphael Geissert (Oct 30)
- Re: Re: CVE request: LetoDMS, more issues Kurt Seifried (Oct 31)
- Re: Re: CVE request: LetoDMS, more issues Raphael Geissert (Oct 31)
- Re: Re: CVE request: LetoDMS, more issues Kurt Seifried (Oct 31)
- Re: CVE request: LetoDMS, more issues Raphael Geissert (Oct 30)