Debian Bug report logs - #373667
zope-zms: CVE-2006-2997: cross-site scripting

Package: zope-zms; Maintainer for zope-zms is (unknown);

Reported by: Alec Berryman <alec@thened.net>

Date: Wed, 14 Jun 2006 22:33:03 UTC

Severity: normal

Tags: security

Done: Fabio Tranchitella <kobold@kobold.it>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#373667; Package zope-zms. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: zope-zms: CVE-2006-2997: cross-site scripting
Date: Wed, 14 Jun 2006 17:02:58 -0500
Package: zope-zms
Severity: normal
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-2997: "Cross-site scripting (XSS) vulnerability in ZMS 2.9 and
earlier, when register_globals is enabled, allows remote attackers to
inject arbitrary web script or HTML via the raw parameter in the search
field."

Note that 'register_globals' must be set 'on' for this to be a
vulnerability.

The original BugTraq posting [1] does not include a patch, and no new
upstream version has been released.

This appears to affect sarge.

Please mention the CVE in the changelog.

Thanks,

Alec

[1] http://www.securityfocus.com/archive/1/archive/1/436703/100/0/threaded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEkIeSAud/2YgchcQRAlDMAJwLO6ZYpLPdeziVuQIA0/O7fafwwgCgviks
2xdf6GpjmpXjIuQv4FqdZbQ=
=KEae
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#373667; Package zope-zms. Full text and rfc822 format available.

Acknowledgement sent to Amaya <amaya@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 373667@bugs.debian.org (full text, mbox):

From: Amaya <amaya@debian.org>
To: 373667@bugs.debian.org, pkg-zope-developers@lists.alioth.debian.org
Subject: zope-zms: Security bug open since Jun 2006?
Date: Tue, 1 Apr 2008 18:34:24 +0200
According to #373667, zope-zms has a cross-site scripting vulnerability.
There is a newer upstream version: 
http://dehs.alioth.debian.org/maintainer.php?name=zope-zms

Would it be a fix for this security problem? 
Is this package no longer relevant, and should it thus be removed?

Please CC: me on replys as I am not subscribed to the bug or list.

Thanks for your time!

-- 
  ยท''`.        Gay scientists discover the Christian gene
 : :' :            
 `. `'            
   `-        Proudly running (unstable) Debian GNU/Linux




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#373667; Package zope-zms. Full text and rfc822 format available.

Acknowledgement sent to Andreas Tille <tillea@rki.de>:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 373667@bugs.debian.org (full text, mbox):

From: Andreas Tille <tillea@rki.de>
To: Frank Hoffmann <fh@hoffmannliebenberg.de>
Cc: 373667@bugs.debian.org, pkg-zope-developers@lists.alioth.debian.org, Amaya <amaya@debian.org>
Subject: Re: zope-zms: CVE-2006-2997: cross-site scripting
Date: Tue, 1 Apr 2008 18:53:28 +0200 (CEST)
Hello,

could you please comment on the security issue that is described in the
Debian bug report

   http://bugs.debian.org/373667

The package zope-zms is in danger to become removed from the Debian
distribution if nobody will fix this long standing issue and we suspect
that you are intersted in fixing this upstream as well.

Kind regards and thanks for providing Zope-ZMS

         Andreas.

-- 
http://fam-tille.de




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#373667; Package zope-zms. Full text and rfc822 format available.

Acknowledgement sent to "Dr. Frank Hoffmann" <fh@hoffmann-liebenberg.de>:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #20 received at 373667@bugs.debian.org (full text, mbox):

From: "Dr. Frank Hoffmann" <fh@hoffmann-liebenberg.de>
To: <373667@bugs.debian.org>
Cc: "'Andreas Tille'" <tillea@rki.de>
Subject: Re: zope-zms: CVE-2006-2997: cross-site scripting
Date: Sat, 12 Apr 2008 11:40:02 +0200
Hello List,
after asking the primary author of the security issue he did not give us any
hints about test details nor the relevance of his 'results'. Moreover
ZMS/Zope is a Python based framework - not PHP based.
Until now the ZMS development team does not see any implications of this. 

Best Regards
Frank Hoffmann





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>:
Bug#373667; Package zope-zms. Full text and rfc822 format available.

Acknowledgement sent to <dr.frank.hoffmann@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Zope team <pkg-zope-developers@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #25 received at 373667@bugs.debian.org (full text, mbox):

From: "Dr. Frank Hoffmann" <dr.frank.hoffmann@gmx.de>
To: <373667@bugs.debian.org>
Cc: <tillea@rki.de>
Subject: Re Re: zope-zms: CVE-2006-2997: cross-site scripting
Date: Mon, 21 Apr 2008 13:16:08 +0200
FYI 
Hello again,
the author revoked his security report primarily published here
http://www.majorsecurity.de/advisory/major_rls12.txt 
(Some other information services still may publish it until the 'revoke'
message is around.) 

Best Regards
Frank Hoffmann





Reply sent to Fabio Tranchitella <kobold@kobold.it>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #30 received at 373667-done@bugs.debian.org (full text, mbox):

From: Fabio Tranchitella <kobold@kobold.it>
To: dr.frank.hoffmann@gmx.de, 373667-done@bugs.debian.org
Subject: Re: Bug#373667: Re Re: zope-zms: CVE-2006-2997: cross-site scripting
Date: Mon, 21 Apr 2008 14:11:00 +0200
* 2008-04-21 13:18, Dr. Frank Hoffmann wrote:
> FYI 
> Hello again,
> the author revoked his security report primarily published here
> http://www.majorsecurity.de/advisory/major_rls12.txt 
> (Some other information services still may publish it until the 'revoke'
> message is around.) 

Thanks for your message; it seems now that the bug report #373667 can be
closed, so I'm doing it with this message.

Best regards,

-- 
Fabio Tranchitella                         http://www.kobold.it
Free Software Developer and Consultant     http://www.tranchitella.it
_____________________________________________________________________
1024D/7F961564, fpr 5465 6E69 E559 6466 BF3D 9F01 2BF8 EE2B 7F96 1564




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 20 May 2008 07:46:01 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 08:22:52 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.