oss-sec mailing list archives

CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack

From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 6 May 2016 21:30:41 +0200

Hi

Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site
scripting vulnerability. It has been fixed with the following commit:

http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7

Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.


Could you please assign a CVE identifier for this issue.

Regards,
Salvatore

Current thread:

CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack Salvatore Bonaccorso (May 06)
- Re: CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack cve-assign (May 06)