On Thu, Aug 07, 2008 at 05:40:08PM +1000, Steffen Joeris wrote: > Hi Hi,
>
> I've attached the part from the upsteam VCS, which should address this XSS.
> Upstream confirmed this via private email. I am still looking into #493372,
> but it seems that unstable and testing are already fixed.
No, there is no fix in unstable and testing, because the used version is
also 0.95-1 and there isn't the patch included - I checked it again today.
But if the maintainer fixes the #493372 they will also fix this bug within the
upstream patch, I think, and so it's not very important to discuss it anymore,
because it's just a XSS issue which isn't an very hard bug :)
> Cheers
> Steffen
Kind regards,
Thomas.
> --- new/owl-dms-0.95/lib/owl.lib.php 2007-10-07 13:42:37.000000000 +0000
> +++ upstream/owl.lib.php 2008-08-06 14:18:41.000000000 +0000
> @@ -70,6 +71,9 @@
> }
> }
>
> +$username = ereg_replace('<script>','', $username);
> +$username = ereg_replace('</script>','', $username);
> +
> require_once($default->owl_fs_root ."/lib/sort.lib.php");
>
> if(!empty($_GET[currentdb]))
signature.asc
Description: Digital signature

