Subject: A security issue was recently discovered in cgiirc.
Package: cgiirc
Version: Security issue in CGI::IRC
Severity: important
*** Please type your report below this line ***

Michael Brooks (Sitewatch) discovered a reflective XSS flaw in
CGI:IRC.

Mozilla have assigned CVE-2011-0050 for this issue; please reference
this in the changelog.

This bug, and issue, corresponds to the recently-released DSA-2158-1


Patch is as follows:
diff --git a/interfaces/nonjs.pm b/interfaces/nonjs.pm
index 9498cb6..72fb0a3 100644
--- a/interfaces/nonjs.pm
    +++ b/interfaces/nonjs.pm
    @@ -198,10 +198,11 @@ EOF

    sub fuserlist {
       my($self, $cgi, $config) = @_;
       +   my $r = _escape($cgi->{R});
       print <<EOF;
       $standardheader
       <html><head>
       -<noscript><meta http-equiv="Refresh"
        content="15;URL=$config->{script_form}?R=$cgi->{R}&item=userlist"></no
        scr
        +<noscript><meta http-equiv="Refresh"
        content="15;URL=$config->{script_form}?R=$r&item=userlist"></noscript>
        </head><body bgcolor="#ffffff" text="#000000">
        Loading..
        </body></html>


-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/3 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to