Samizdat 0.6.1 Cross Site Scripting

2009-02-13T00:00:00
ID PACKETSTORM:74937
Type packetstorm
Reporter Dmitry Borodaenko
Modified 2009-02-13T00:00:00

Description

                                        
                                            `Software: Samizdat, an open publishing web application written in Ruby  
Vulnerability: cross-site scripting  
Vulnerable Versions: 0.6.1 and earlier  
Non-vulnerable Versions: 0.6.2, Debian package 0.6.1-3lenny1  
Patch: http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-xss-escape-title.patch  
References: CVS-2009-0359, DTSA-194-1  
  
Description:  
  
Samizdat 0.6.1 contains several code paths that fail to escape special HTML  
characters in message title and user full name before these strings are included  
in a Web page (in earlier versions, only user full name is exploitable). This  
allows an attacker to perform a cross-site scripting attack by including a  
specially crafted string in their full name or message title.  
  
Test:  
  
Login. Set your full name to a string including a special HTML character (any of  
&"'<>). Publish a message with a title that includes a special character. Find  
your message in the list of recent updates on the site front page, check the  
HTML source to see whether the special characters were escaped as HTML entities.  
  
Fix:  
  
Samizdat 0.6.2 includes a fix for this vulnerability. Alternatively, a patch for  
Samizdat 0.6.1 that closes this vulnerability is referenced above; it is also  
recommended to apply a second patch that improves stability of the Samizdat  
Sanitize module (a white-list HTML filter used to remove dangerous tags,  
attributes, and CSS properties from user-submitted HTML):  
  
http://samizdat.nongnu.org/release-notes/samizdat-0.6.1-tidy-binary.patch  
  
Both patches are included in the Debian package version 0.6.1-3lenny1.  
  
--   
Dmitry Borodaenko  
`