oss-sec mailing list archives

CVE Request -- Python-Mako (prior v0.3.4): Improper escaping of single quotes in escape.cgi (XSS)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 30 Jun 2010 18:20:18 +0200

Hi Steve, vendors,

  Craig Younkins reported:
    [1] http://bugs.python.org/issue9061

  that Python Mako (of versions prior v0.3.4), a template library written in Python,
  improperly escaped single quotes in escape.cgi. An attacker could use this flaw to conduct
  cross-site scripting (XSS) attacks.

  References:
    [2] http://www.makotemplates.org/CHANGES

Sample public PoC (from [1]):

  Proof of concept:
  print """<body class='%s'></body>""" % cgi.escape("' onload='alert(1);'
bad='")

Could you allocate a CVE id for this?

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE Request -- Python-Mako (prior v0.3.4): Improper escaping of single quotes in escape.cgi (XSS) Jan Lieskovsky (Jun 30)
- Re: CVE Request -- Python-Mako (prior v0.3.4): Improper escaping of single quotes in escape.cgi (XSS) Josh Bressers (Jun 30)