oss-sec mailing list archives
Re: CVE request: XSS in python paste
From: Josh Bressers <bressers () redhat com>
Date: Wed, 30 Jun 2010 15:22:23 -0400 (EDT)
Please use CVE-2010-2477 Thanks. -- JB ----- "Raphael Geissert" <geissert () debian org> wrote:
Hi, Quoting [1]:Paste 1.7.4 is released. The only real change is topaste.httpexceptions,which was using insecure quoting of some parameters and allowed anXSShole, most specifically with its 404 messages. The most notably WSGI application using this is paste.urlparse.StaticURLParser and PkgResourcesParser.Bydirecting someone to an appropriately formed URL an attacker canexecutearbitrary Javascript on the victim's client. paste.urlmap.URLMap isalsoaffected, but only if you have no application attached to /. Otherapplications using paste.httpexceptions may be effected (especiallyHTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected.The commit fixing this bug appears to be: http://bitbucket.org/ianb/paste/changeset/fcae59df8b56 Homepage: http://pythonpaste.org/ Could a CVE be assigned? Thanks in advance. [1] http://groups.google.com/group/paste- users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1 Regards, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net
Current thread:
- CVE request: XSS in python paste Raphael Geissert (Jun 29)
- Re: CVE request: XSS in python paste Josh Bressers (Jun 30)