Re: XSS in ht://Dig

[Geoff Hutchison <ghutchis () wso williams edu>]

In-Reply-To: <Pine.LNX.4.44.0206281905330.9527-100000 () ticalc ticalc org>
> PW> My example URL suggests that version 3.1.5 is also
immune, though 3.1.5
> PW> has other issues that 3.1.6 resolves -- see
> PW>    http://online.securityfocus.com/bid/3410 and
> PW>    http://www.htdig.org/index.html
>
> Version 3.2.0b3 seems to be vunerable.

Sorry for the somewhat slow response, I'm not normally subscribed to
BugTraq. Two previous attempts to send this (July 1 and July 5th) did not
go through for whatever reason.

As far as XSS goes, the following versions have default templates that are
immune to such things--you'd get properly-HTML encoded "script" tags.

3.2.0b2, 3.2.0b3 and snapshots of 3.2.0b4
3.1.5 and 3.1.6
(only 3.2.0b4 and 3.1.6 solve other, non-XSS issues)

Now, we'll certainly send out an announcement reminding people that they
should be using recent versions of ht://Dig and that they should make sure
their templates use the $&(VAR) form that HTML-escapes output. And it'll
be a good idea to update the documentation to make this clear.

But...

I'll point out that ht://Dig has its own mailing list. If there is a
vulnerability that has *not* been addressed in current versions, please
let us know, give us a specific example and we'll post to BugTraq. Further
discussion is probably best left on the
htdig-discuss () lists sourceforge net or htdig-dev mailing lists or via
private e-mail.

Regards,
--
-Geoff Hutchison
Williams Students Online
http://wso.williams.edu/