![oss-sec logo](/images/oss-sec-logo.png)
oss-sec mailing list archives
Re: CVE request: resin: Cross site scripting
From: Kurt Seifried <kseifried () redhat com>
Date: Thu, 13 Jun 2013 17:54:47 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/11/2013 03:10 AM, Agostino Sarubbo wrote:
From the secunia advisory SA53749 [1]: Description Gjoko Krstic has discovered a vulnerability in Caucho Resin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input appended to the URL after /resin-admin/ is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is confirmed in version 4.0.36. Other versions may also be affected. Solution No official solution is currently available. Provided and/or discovered by Gjoko Krstic (LiquidWorm) Original Advisory ZSL-2013-5143: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5143.php [1]: https://secunia.com/advisories/53749/ The original advisory contains a poc.
This doesn't appear to be an Open Source licensed software: Caucho Developer Source License version 1.1 Please go direct to Mitre for your CVE needs on this one. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRulvHAAoJEBYNRVNeJnmT7icQAJBmsZ+Cjk/8KceIpohPwA5I o8aKC73v+LFeFLmwjkCNLMjh6C4S868A12QhfbVj6LSl2oB2tD+Nd1dUC/SzAjk0 B6F2vqOG0XCJqNF6ja0uPs1H+jGLky7BF2mxRpAebpi9bn/dw5j9zmcizQoTGo6n B8B85P+yTbYlbo3o/hRhXf+lQsVC0rxFQNVTckup63iTYYl3Dti9IV3NN7r/j9ss kJYXd8EtRNpdjVOxa9Lg5zkM8fxkfb5YIlkTnBOsNe9z0+swowcm8BtO0npuBZlM y08gi5RU5Bz1gHJkhAywuH+6iUPHTq81J/d25COGp0QjHApQrEKC8MgJoilLnGLb fqAoP9oaxXq0BtUO8Y2lBGDVjglVv6OEjAeNh17rgr1Ol7LGNdJpk/gvFNjWpIzl 49CcapQQUzSDkKEqk4NNWfZDjl2BAga0cAjwbF9nuyK3kQHsY4/kEyxi/YQHga8g 90P/xRsOsNr6WNKl5+dY79JPOpibbw/ulcYRVo51AsQ6xWSbpGGKxaavvmAIl+E9 lUobw/DjJb6ow0oGY8yxE3AdXIYa89Pjri94n/Chpw7CSyVt9hSakEztkQ6HUP2E RN51UqgduNSKy7o232JNvgASISB4d9c77qL5RA9MWSfIqgjZGMIulH+kvpj/NaX2 VVILjlhfdhPhnwXxDXVE =cmeP -----END PGP SIGNATURE-----
Current thread:
- CVE request: resin: Cross site scripting Agostino Sarubbo (Jun 11)
- Re: CVE request: resin: Cross site scripting Kurt Seifried (Jun 13)