Debian Bug report logs - #389361
XSS vulnerability in elog

version graph

Package: elog; Maintainer for elog is (unknown);

Reported by: Tilman Koschnick <til@subnetz.org>

Date: Mon, 25 Sep 2006 09:33:09 UTC

Severity: grave

Tags: security

Found in version elog/2.6.1+r1642-1

Fixed in version elog/2.6.2+r1719-1

Done: Recai Oktaş <roktas@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, til@subnetz.org, Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>:
Bug#389361; Package elog. (full text, mbox, link).


Acknowledgement sent to Tilman Koschnick <til@subnetz.org>:
New Bug report received and forwarded. Copy sent to til@subnetz.org, Debian Security Team <team@security.debian.org>, Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tilman Koschnick <til@subnetz.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS vulnerability in elog
Date: Mon, 25 Sep 2006 11:27:10 +0200
Package: elog
Version: 2.6.1+r1642-1
Severity: grave
Tags: security
Justification: user security hole

Hi,

when editing a log entry in HTML mode, elog accepts arbitrary JavaScript
code. This code will be executed in the browser of other users viewing the
entry (provided they have JavaScript enabled), thus exposing the users
to a XSS (cross site scripting) attack.

To reproduce the problem, add or edit a log entry, switch to HTML mode
and enter the following code snippet:

--------------------------------8<------------------------------
<script type='text/javascript'>
<!--
  alert("There seems to be the possibility of an XSS attack...");
//-->
</script>
--------------------------------8<------------------------------

When viewing the entry, a JavaScript Popup should appear.

To remedy the problem, all <script> tags should be filtered out (or
better yet, only "safe" HTML code should be allowed). At the very least,
it should be possible to disable HTML entries (and this should be the
default, with a big warning if someone wants to change it).

Cheers, Til


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-2-amd64-k8-smp
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages elog depends on:
ii  adduser                      3.97        Add and remove users and groups
ii  libc6                        2.3.6.ds1-4 GNU C Library: Shared libraries

elog recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Recai Oktaş <roktas@debian.org>:
Bug#389361; Package elog. (full text, mbox, link).


Acknowledgement sent to Stefan Ritt <stefan.ritt@psi.ch>:
Extra info received and forwarded to list. Copy sent to Recai Oktaş <roktas@debian.org>. (full text, mbox, link).


Message #10 received at 389361@bugs.debian.org (full text, mbox, reply):

From: Stefan Ritt <stefan.ritt@psi.ch>
To: 389361@bugs.debian.org
Subject: XSS vulnerability fixed
Date: Wed, 27 Sep 2006 23:09:27 +0200
The reported XSS vulnerability has been fixed in SVN revision 1719 of 
elog by not allowing HTML mode by default. This mode has to be enabled 
explicitly by setting "Allowed encoding = 7".

Cheers,

  Stefan



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#389361; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #15 received at 389361@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: Tilman Koschnick <til@subnetz.org>, 389361@bugs.debian.org
Subject: Re: Bug#389361: XSS vulnerability in elog
Date: Thu, 28 Sep 2006 01:48:06 +0300
[Message part 1 (text/plain, inline)]
* Tilman Koschnick [2006-09-25 11:27:10+0200]
> Package: elog
> Version: 2.6.1+r1642-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> Hi,
> 
> when editing a log entry in HTML mode, elog accepts arbitrary JavaScript
> code. This code will be executed in the browser of other users viewing the
> entry (provided they have JavaScript enabled), thus exposing the users
> to a XSS (cross site scripting) attack.

Hi,

Thanks for your bug report.  I'm going to make a new upload (r1719) which
includes a fix for this issue.  Feel free to reopen this bug if the problem
persists.

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#389361; Package elog. (full text, mbox, link).


Acknowledgement sent to Recai Oktaş <roktas@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #20 received at 389361@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: Stefan Ritt <stefan.ritt@psi.ch>, 389361@bugs.debian.org
Subject: Re: Bug#389361: XSS vulnerability fixed
Date: Thu, 28 Sep 2006 01:54:19 +0300
[Message part 1 (text/plain, inline)]
* Stefan Ritt [2006-09-27 23:09:27+0200]
> The reported XSS vulnerability has been fixed in SVN revision 1719 of 
> elog by not allowing HTML mode by default. This mode has to be enabled 
> explicitly by setting "Allowed encoding = 7".

Hi Stefan,

Thanks for the fix!  I haven't checked the stable version.  Does this issue
also exist in our stable version (release 2.5.7, svn revision: r1558)?  If
so, we should prepare a backport for it.

Cheers,

-- 
roktas
[signature.asc (application/pgp-signature, inline)]

Reply sent to Recai Oktaş <roktas@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Tilman Koschnick <til@subnetz.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #25 received at 389361-close@bugs.debian.org (full text, mbox, reply):

From: Recai Oktaş <roktas@debian.org>
To: 389361-close@bugs.debian.org
Subject: Bug#389361: fixed in elog 2.6.2+r1719-1
Date: Wed, 27 Sep 2006 16:02:22 -0700
Source: elog
Source-Version: 2.6.2+r1719-1

We believe that the bug you reported is fixed in the latest version of
elog, which is due to be installed in the Debian FTP archive:

elog_2.6.2+r1719-1.diff.gz
  to pool/main/e/elog/elog_2.6.2+r1719-1.diff.gz
elog_2.6.2+r1719-1.dsc
  to pool/main/e/elog/elog_2.6.2+r1719-1.dsc
elog_2.6.2+r1719-1_i386.deb
  to pool/main/e/elog/elog_2.6.2+r1719-1_i386.deb
elog_2.6.2+r1719.orig.tar.gz
  to pool/main/e/elog/elog_2.6.2+r1719.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 389361@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Recai Oktaş <roktas@debian.org> (supplier of updated elog package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 28 Sep 2006 01:36:38 +0300
Source: elog
Binary: elog
Architecture: source i386
Version: 2.6.2+r1719-1
Distribution: unstable
Urgency: critical
Maintainer: Recai Oktaş <roktas@debian.org>
Changed-By: Recai Oktaş <roktas@debian.org>
Description: 
 elog       - Logbook system to manage notes through a Web interface
Closes: 389361
Changes: 
 elog (2.6.2+r1719-1) unstable; urgency=critical
 .
   * Urgency set to critical because of the security issues.
   * New upstream release grabbed from Subversion (r1719).
     + Fix an XSS vulnerability, which occurs when editing a log entry
       in HTML mode.  (Closes: #389361)
Files: 
 9b57b5e7ec8d77485ed8c66646d1a80b 571 web optional elog_2.6.2+r1719-1.dsc
 b317563258ee8b0b3e2375a5f5e33315 663231 web optional elog_2.6.2+r1719.orig.tar.gz
 dd4004ac4d48871aa6bc4e5a18a0fe9f 12347 web optional elog_2.6.2+r1719-1.diff.gz
 8abf9e948743707e400409fdfe63ac55 653274 web optional elog_2.6.2+r1719-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFFGv6VnA44mz/SXIQRAhOvAJ49kkB3+thIEGLEYwYcSfzM4rSpJgCfRnDS
cg6CD85jsNiB1s2IrqU0QlQ=
=x00F
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 03:47:50 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:31:03 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.