oss-sec mailing list archives

Re: CVE request: XSS in python paste

From: Josh Bressers <bressers () redhat com>
Date: Wed, 30 Jun 2010 15:22:23 -0400 (EDT)

Please use CVE-2010-2477

Thanks.

-- 
    JB


----- "Raphael Geissert" <geissert () debian org> wrote:

Hi,

Quoting [1]:

Paste 1.7.4 is released.  The only real change is to

paste.httpexceptions,

which was using insecure quoting of some parameters and allowed an

XSS

hole, 
most specifically with its 404 messages.  The most notably WSGI 
application 
using this is paste.urlparse.StaticURLParser and PkgResourcesParser.

By

directing someone to an appropriately formed URL an attacker can

execute

arbitrary Javascript on the victim's client.  paste.urlmap.URLMap is

also

affected, but only if you have no application attached to /.  Other

applications using paste.httpexceptions may be effected (especially

HTTPNotFound).  WebOb/webob.exc.HTTPNotFound is not affected.


The commit fixing this bug appears to be:
http://bitbucket.org/ianb/paste/changeset/fcae59df8b56
Homepage:
http://pythonpaste.org/

Could a CVE be assigned?

Thanks in advance.

[1] http://groups.google.com/group/paste-
users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE request: XSS in python paste Raphael Geissert (Jun 29)
- Re: CVE request: XSS in python paste Josh Bressers (Jun 30)