retitle 376442 phpqladmin: many cross site scripting problems tags 376442 +upstream thanks
Hello, > CVE-2006-3301: "Multiple cross-site scripting (XSS) vulnerabilities in > phpQLAdmin 2.2.7 and earlier allow remote attackers to inject arbitrary > web script or HTML via the domain parameter in (1) user_add.php or (2) > unit_add.php." I've taken a look, and those files are indeed vulnerable, but a quick look at some of the other files in the package reveals that there are many more problems in many files, some examples: - domain_add.php $_REQUEST["domain"] - domain_add_form.php $server - domain_del.php $domain - domain_detail.php $msg - search.php $msg - ezmlm_detail.php $msg - config_detail.php $msg - user_detail.php $msg - control_detail.php $msg - home.php $msg just to name the first 10 I encountered. What next? I don't think it makes sense to create a big patch just for Debian, but rather to get a newly fixed upstream in - since upstream will need to fix this problem in any case. I propose to: - Remove the package from testing; - Keep this bug open until upstream has addressed the issues; - Package that version and only then let phpqladmin flow back into testing. Thijs
signature.asc
Description: This is a digitally signed message part
