Debian Bug report logs - #377299
sitebar: CVE-2006-3320: cross-site scripting

version graph

Package: sitebar; Maintainer for sitebar is Carlos Eduardo Sotelo Pinto (krlos) <krlos.aqp@gmail.com>;

Reported by: Alec Berryman <alec@thened.net>

Date: Sat, 8 Jul 2006 03:18:05 UTC

Severity: serious

Tags: fixed, patch, security

Found in versions sitebar/3.3.8-1, sitebar/3.2.6-7

Fixed in versions 3.3.8-1, 3.2.6-7, 3.2.6-7.1, 3.3.8-2

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Kevin Coyner <kevin@rustybear.com>:
Bug#377299; Package sitebar. Full text and rfc822 format available.

Acknowledgement sent to Alec Berryman <alec@thened.net>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Kevin Coyner <kevin@rustybear.com>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alec Berryman <alec@thened.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: sitebar: CVE-2006-3320: cross-site scripting
Date: Fri, 07 Jul 2006 22:51:09 -0400
Package: sitebar
Version: 3.3.8-1 3.2.6-7
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php
in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
web script or HTML via the command parameter."

According to the SiteBar svn history page [1], this has not been fixed
upstream.  The original report [2] contains a simple proof-of-concept.
I have not tested it.

The CVE indicates that the version in Sarge is also vulnerable.

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://teamforge.net/viewcvs/viewcvs.cgi/trunk/doc/history.txt?view=markup
[2] http://www.site.com/sitebar/command.php?command=[CODES]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErx2dAud/2YgchcQRAhC0AJwP1iEPWCGSnv+4rViEmVMWLJeXIACgl76m
hZT2luFqY9Er9egsx7tx6k4=
=djii
-----END PGP SIGNATURE-----



Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kevin@rustybear.com>:
Bug#377299; Package sitebar. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kevin@rustybear.com>. Full text and rfc822 format available.

Message #10 received at 377299@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 377299@bugs.debian.org
Cc: team@security.debian.org, control@bugs.debian.org
Subject: Re: sitebar: CVE-2006-3320: cross-site scripting
Date: Fri, 28 Jul 2006 14:51:43 +0200
[Message part 1 (text/plain, inline)]
tags 377299 +patch
thanks

Hello,

> CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php
> in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
> web script or HTML via the command parameter."

I've already fixed this by NMU in unstable. I've also prepared an
updated package for stable - question is if the security team wants to
release an advisory for this and if this package is ok. See attachment.

Let me know, if it's ok I'll upload it to stable-security.


Attached are the diffs for the sid NMU and the proposed sarge NMU.


Thanks.
Thijs
[sitebar.CVE-2006-3320.sarge.diff (text/x-patch, attachment)]
[sitebar.CVE-2006-3320.sid.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: patch Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Kevin Coyner <kevin@rustybear.com>:
Bug#377299; Package sitebar. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Kevin Coyner <kevin@rustybear.com>. Full text and rfc822 format available.

Message #19 received at 377299@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Thijs Kinkhorst <thijs@debian.org>
Cc: team@security.debian.org, 377299@bugs.debian.org
Subject: Re: sitebar: CVE-2006-3320: cross-site scripting
Date: Fri, 28 Jul 2006 16:36:40 +0200
Thijs Kinkhorst wrote:
> 
> > CVE-2006-3320: "Cross-site scripting (XSS) vulnerability in command.php
> > in SiteBar 3.3.8 and earlier allows remote attackers to inject arbitrary
> > web script or HTML via the command parameter."
> 
> I've already fixed this by NMU in unstable. I've also prepared an
> updated package for stable - question is if the security team wants to
> release an advisory for this and if this package is ok. See attachment.
> 
> Let me know, if it's ok I'll upload it to stable-security.

Please adjust the distribution to stable-security and the urgency to high,
then proceed.

Regards,

	Joey

-- 
Let's call it an accidental feature.  -- Larry Wall

Please always Cc to me when replying to me on the lists.



Tags added: fixed Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Kevin Coyner <kevin@rustybear.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alec Berryman <alec@thened.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 377299-done@bugs.debian.org (full text, mbox):

From: Kevin Coyner <kevin@rustybear.com>
To: 377299-done@bugs.debian.org
Subject: sitebar: CVE-2006-3320: cross-site scripting
Date: Sun, 17 Sep 2006 15:08:08 -0400
Package: sitebar
Version: 3.3.8-1 3.2.6-7
Severity: serious

Fixed thanks to changes made to command.php by Thijs Kinkhorst.

Additionally fixed with separate changes to command.php with patch
received from upstream.

-- 
Kevin Coyner  GnuPG key: 1024D/8CE11941



Bug marked as fixed in version 3.2.6-7.1, send any further explanations to Alec Berryman <alec@thened.net> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 3.3.8-2, send any further explanations to Alec Berryman <alec@thened.net> Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 09:18:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 00:02:59 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.