Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS
Ansgar Burchardt
ansgar at debian.org
Mon Dec 19 18:47:52 UTC 2011
Ansgar Burchardt <ansgar at debian.org> writes:
> The JS escaping in libhtml-template-pro-perl misses to escape "<" and
> ">" which allows XSS. This was fixed in the last upstream release (0.9507).
>
> An example script that triggers the bug is attached. With 0.9507 it
> outputs
>
> <evil>
>
> older versions generate
>
> <evil>
>
> instead.
I prepared a backport of the relevant changes to squeeze (attached).
Lenny might be affected as well, I'll look into that in the next days.
Does the security team want to release a DSA for this issue or should it
be fixed via proposed-updates?
Regards,
Ansgar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 652587-squeeze.diff
Type: text/x-diff
Size: 2547 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20111219/9ca6ff61/attachment.diff>
More information about the pkg-perl-maintainers
mailing list