Bugtraq mailing list archives
Re: XSS in ht://Dig
From: Geoff Hutchison <ghutchis () wso williams edu>
Date: Thu, 11 Jul 2002 00:08:32 -0400 (EDT)
In-Reply-To: <Pine.LNX.4.44.0206281905330.9527-100000 () ticalc ticalc org>
PW> My example URL suggests that version 3.1.5 is also
immune, though 3.1.5
PW> has other issues that 3.1.6 resolves -- see PW> http://online.securityfocus.com/bid/3410 and PW> http://www.htdig.org/index.html Version 3.2.0b3 seems to be vunerable.
Sorry for the somewhat slow response, I'm not normally subscribed to BugTraq. Two previous attempts to send this (July 1 and July 5th) did not go through for whatever reason. As far as XSS goes, the following versions have default templates that are immune to such things--you'd get properly-HTML encoded "script" tags. 3.2.0b2, 3.2.0b3 and snapshots of 3.2.0b4 3.1.5 and 3.1.6 (only 3.2.0b4 and 3.1.6 solve other, non-XSS issues) Now, we'll certainly send out an announcement reminding people that they should be using recent versions of ht://Dig and that they should make sure their templates use the $&(VAR) form that HTML-escapes output. And it'll be a good idea to update the documentation to make this clear. But... I'll point out that ht://Dig has its own mailing list. If there is a vulnerability that has *not* been addressed in current versions, please let us know, give us a specific example and we'll post to BugTraq. Further discussion is probably best left on the htdig-discuss () lists sourceforge net or htdig-dev mailing lists or via private e-mail. Regards, -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/
Current thread:
- Re: XSS in ht://Dig Geoff Hutchison (Jul 10)