tags 404234 patch moreinfo thanks Hi,
> A vulnerability has been found in webcalender: > > Cross-site scripting (XSS) vulnerability in export_handler.php in > WebCalendar 1.0.4 and earlier allows remote attackers to inject > arbitrary web script or HTML via the format parameter. I can see what this is most probably about, and a fix is included in the attached patch. Upstream does not have any indication of having this fixed yet. > I think it would be nice if it was fixed in etch, but I guess one > could also argue that this is not RC. I haven't found a concrete way to exploit it yet, since some HTML inputs are stripped from all input parameters. A concrete example would help to confirm the status of this bug. Do you have one? Thijs
--- webcalendar-1.0.4.orig/export_handler.php +++ webcalendar-1.0.4/export_handler.php @@ -1016,7 +1016,7 @@ $format = getValue ( 'format' ); if ( $format != 'ical' && $format != 'vcal' && $format != 'pilot-csv' && $format != 'pilot-text' ) - die_miserable_death ( "Invalid format '" . $format . "'" ); + die_miserable_death ( "Invalid format '" . htmlspecialchars($format) . "'" ); $use_all_dates = getPostValue ( 'use_all_dates' ); if ( $use_all_dates != 'y' )
signature.asc
Description: This is a digitally signed message part
