Re: CVE request: resin: Cross site scripting

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/11/2013 03:10 AM, Agostino Sarubbo wrote:
> From the secunia advisory SA53749 [1]:
>
> Description Gjoko Krstic has discovered a vulnerability in Caucho
> Resin, which can be exploited by malicious people to conduct
> cross-site scripting attacks.
>
> Input appended to the URL after /resin-admin/ is not properly
> sanitised before being returned to the user. This can be exploited
> to execute arbitrary HTML and script code in a user's browser
> session in context of an affected site.
>
> The vulnerability is confirmed in version 4.0.36. Other versions
> may also be affected.
>
>
> Solution No official solution is currently available.
>
> Provided and/or discovered by Gjoko Krstic (LiquidWorm)
>
> Original Advisory ZSL-2013-5143: 
> http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php
>
> [1]: https://secunia.com/advisories/53749/
>
> The original advisory contains a poc.

This doesn't appear to be an Open Source licensed software:

                   Caucho Developer Source License
                             version 1.1

Please go direct to Mitre for your CVE needs on this one.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRulvHAAoJEBYNRVNeJnmT7icQAJBmsZ+Cjk/8KceIpohPwA5I
o8aKC73v+LFeFLmwjkCNLMjh6C4S868A12QhfbVj6LSl2oB2tD+Nd1dUC/SzAjk0
B6F2vqOG0XCJqNF6ja0uPs1H+jGLky7BF2mxRpAebpi9bn/dw5j9zmcizQoTGo6n
B8B85P+yTbYlbo3o/hRhXf+lQsVC0rxFQNVTckup63iTYYl3Dti9IV3NN7r/j9ss
kJYXd8EtRNpdjVOxa9Lg5zkM8fxkfb5YIlkTnBOsNe9z0+swowcm8BtO0npuBZlM
y08gi5RU5Bz1gHJkhAywuH+6iUPHTq81J/d25COGp0QjHApQrEKC8MgJoilLnGLb
fqAoP9oaxXq0BtUO8Y2lBGDVjglVv6OEjAeNh17rgr1Ol7LGNdJpk/gvFNjWpIzl
49CcapQQUzSDkKEqk4NNWfZDjl2BAga0cAjwbF9nuyK3kQHsY4/kEyxi/YQHga8g
90P/xRsOsNr6WNKl5+dY79JPOpibbw/ulcYRVo51AsQ6xWSbpGGKxaavvmAIl+E9
lUobw/DjJb6ow0oGY8yxE3AdXIYa89Pjri94n/Chpw7CSyVt9hSakEztkQ6HUP2E
RN51UqgduNSKy7o232JNvgASISB4d9c77qL5RA9MWSfIqgjZGMIulH+kvpj/NaX2
VVILjlhfdhPhnwXxDXVE
=cmeP
-----END PGP SIGNATURE-----