oss-sec mailing list archives

Re: CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory traversal and information disclosure in the cssgen contrib module (plus possibly XSS, but it needs upstream to confirm)

From: Raphael Geissert <geissert () debian org>
Date: Tue, 21 Aug 2012 11:15:24 -0500

Hi Jan, everyone,

[can't seem to follow-up via email, sorry for not CC'ing the others]

Jan Lieskovsky wrote:

  Issue #B:
  ---------
  Then there is a report about non-persistent XSS flaw, that have been
  fixed in the contrib module of 1.0.8.11 version too:
  [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685323

  but I was unable to find the relevant upstream patch (and above Debian
  BTS entry doesn't contain further information too, which could be acted
  upon).


The fix is:
http://geshi.svn.sourceforge.net/viewvc/geshi?view=revision&revision=2508

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Current thread:

CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory traversal and information disclosure in the cssgen contrib module (plus possibly XSS, but it needs upstream to confirm) Jan Lieskovsky (Aug 21)
- Re: CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory traversal and information disclosure in the cssgen contrib module (plus possibly XSS, but it needs upstream to confirm) Raphael Geissert (Aug 21)
- Re: CVE Request -- php-geshi / GeSHi (1.0.8.11): Remote directory traversal and information disclosure in the cssgen contrib module (plus possibly XSS, but it needs upstream to confirm) Kurt Seifried (Aug 21)