squidclamav -- cross-site scripting in default virus warning pages

ID CE680F0A-EEA6-11E1-8BD8-0022156E8794
Type freebsd
Reporter FreeBSD
Modified 2012-07-24T00:00:00


SquidClamav developers report:

This release fix several security issues by escaping CGI parameters.

Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not properly sanitizing input variables, so they could be used to inject arbitrary strings to the generated page, leading to the cross-site scripting attacks.