oss-sec mailing list archives
CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack
From: Salvatore Bonaccorso <carnil () debian org>
Date: Fri, 6 May 2016 21:30:41 +0200
Hi Release 3.20160506 of ikiwiki, a wiki compiler, fixed a cross-site scripting vulnerability. It has been fixed with the following commit: http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=32ef584dc5abb6ddb9f794f94ea0b2934967bba7
Subject: [PATCH] HTML-escape error messages (OVE-20160505-0012) The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.
Could you please assign a CVE identifier for this issue. Regards, Salvatore
Current thread:
- CVE Request: ikiwiki: HTML-escape error messages to prevent cross-site scripting attack Salvatore Bonaccorso (May 06)