Re: CVE request: XSS on Monkey HTTPD - dirlisting plugin

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/2013 11:21 AM, Felipe Pena wrote:
> A vulnerability was found in the Monkey HTTP - dirlisting plugin, which does not
> filter file names before printing on HTML page, hence vulnerable to XSS attack.
>
> PoC
> ----
> $ touch "' onmouseover='alert(1);"
>
>
> Report
> ------
> http://bugs.monkey-project.com/ticket/185
>
>
> CREDITS
> -------
> Felipe Pena
>
> --
> Regards,
> Felipe Pena

Please use CVE-2013-2181 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRu3axAAoJEBYNRVNeJnmTE9gP/R+VUc9EuW6DDGfd9wmTDF8y
yYxdP37NAVwfEo7vHHgwtyK2rRawVxSSbRCN0yWgUNshuBGLxkpuaF3IWAmav3rf
ARfh8QSnTj+R8+8SPjxeW+Pn4gGIHpJqLRj+U61denpQ7m7UKQfsqtOn16v8zLt3
kjXdkhvPVC3JZXWzGSFV89CESH3WapVsTyArheRt0d71V34TG9d+uTh9hUl5e+EC
Apy4xQ093gVKldPdRh5EFakIOwrL3mmEKjTE2S3lbXe2oNtiBtMVwHDSyF3aMrkJ
aEWXGHrfnNctb+MxOIisSSYAmFUMkyJ1uFQUgvJJT8SnWcihmv2NYFkRYmUGWkyR
wdQppuIuy+ynnXosZN4Pf+EukDHUh0ryX2QcrV6HBvTj5oLFjLN800zvNZSypdNe
wBFAV/ZFSdUCoct9tw3jDKm4LhWj7gG/hqRBrwdUjO2E8vQILzMvCye4lkTCKPO6
FLTdUByPec2k6UVSU/7c0l/x7RI8TF/T85dOiEavTLrYJhv2n5ZVKTmV6ZfZwbNR
1HRuaausC2vwui7NZa1TY1tGD3BVdK/jBYPKNKOFpwFt5udO0WiO9FeDvnUwbAAu
xeNPviD3MqhZROU2d1fQdS6e8CTzUhbFxzv1a/NETDKbEMqhtUFMeUJlG21EKaNp
lvzoDLMnLwAtgtFdeeSF
=secC
-----END PGP SIGNATURE-----